Master thesis on distroless and other component reduction methods
73 views
Skip to first unread message
Michael Wager
Jun 14, 2023, 7:05:22 AM6/14/23
to Distroless Users
Hi everyone,
I am starting to write a thesis on evaluating the security of software containers through reduction of potentially vulnerable components. Of course distroless will be part of it.
I am working as part of a product security team in a large enterprise and our scanners mostly find a lot. That's why we went deep into distroless and currently recommending it in order to reduce findings. In literature I read a lot that this will reduce the attack surface. Nevertheless in the evening I am wrapping my head around the question if this really leads to more secure images. Lots of scanner findings are not exploitable in the context of certain apps anyway, I suppose.
Currently I am doing some research on related work. Does anyone know some (scientific) work on evaluating the concepts? Like comparing the findings of a group of container images based on different runtimes (java, pathon, go..) from "before" default images to "later" distroless images.
Or work on categorizing container scanner findings and studies of actual exploitabtion of certain findings...
The goal should be e.g. to make better statements on accepting risks(scanner findings)
Appreciate any input 😊
Kind regards
Michael
I am starting to write a thesis on evaluating the security of software containers through reduction of potentially vulnerable components. Of course distroless will be part of it.
I am working as part of a product security team in a large enterprise and our scanners mostly find a lot. That's why we went deep into distroless and currently recommending it in order to reduce findings. In literature I read a lot that this will reduce the attack surface. Nevertheless in the evening I am wrapping my head around the question if this really leads to more secure images. Lots of scanner findings are not exploitable in the context of certain apps anyway, I suppose.
Currently I am doing some research on related work. Does anyone know some (scientific) work on evaluating the concepts? Like comparing the findings of a group of container images based on different runtimes (java, pathon, go..) from "before" default images to "later" distroless images.
Or work on categorizing container scanner findings and studies of actual exploitabtion of certain findings...
The goal should be e.g. to make better statements on accepting risks(scanner findings)
Appreciate any input 😊
Kind regards
Michael
Mohannad Alhanahnah
Jun 14, 2023, 11:02:00 PM6/14/23
to Distroless Users
Hi Michael,
Interesting topic.
Not quite sure if these papers satisfy your needs, but thought might be useful.
Feel free to reach out if you have any questions.Â
MohannadÂ
Evan Jones
Jun 15, 2023, 8:17:26 AM6/15/23
to distrole...@googlegroups.com
Interesting question. I don't have any references, but I always assumed that in terms of security, the advantage is reducing what an attacker might be able to do, *after* they find a vulnerability in the application. For example, it is likely harder to use "off the shelf" scripts to get a shell if you don't have a shell in the image at all. However, I don't have any "evidence" that this is true for you.
I personally find the image size to be a real advantage. It makes uploading, deploying and dynamically scaling up etc noticably faster.
Evan
--
You received this message because you are subscribed to the Google Groups "Distroless Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to distroless-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/ff645e39-ed90-4ebb-b427-9ec75b57280an%40googlegroups.com.
Message has been deleted
Michael Wager
Apr 30, 2024, 4:30:39 AMApr 30
to Distroless Users
I released the paper, if someone is interested :)
Reply all
Reply to author
Forward
0 new messages