Dr. Docker: A Large-Scale Security Measurement of Docker Image Ecosystem

Docker has transformed modern software development, enabling the widespread reuse of containerized applications. Currently, Docker images are primarily distributed through centralized registries, among which Docker Hub is the largest, allowing developers to share and reuse images easily. The threats within these images also spread through the supply chain via dependency relationships, posing risks to anyone using the image and all images built based on it. However, it is unclear to what extent the threats within Docker images are distributed and propagated. In this paper, we investigate five potential security risks in Docker images and propose a security analysis framework DITector based on these security issues. We then utilize DITector to conduct a large-scale security measurement of the Docker image ecosystem. We collect descriptions of over 12 million image repositories from Docker Hub, construct an image dependency graph based on the layer information of the images, and select two sets of influential images based on their pull counts and dependency weight, totaling 33,952 images. Our findings are alarming: 93.7% of analyzed images contain known vulnerabilities, 4,437 images have secret leaks, 50 images contain misconfigurations and 24 malicious images. Furthermore, we identify 334 downstream images affected by malicious images and uncover patterns of attack propagation within the supply chain. We have discussed the measures to mitigate these issues, reported our findings to the relevant parties, and received positive responses.