Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

An Effective Docker Image Slimming Approach Based on Source Code Data Dependency Analysis

Jiaxuan Han, Cheng Huang, Jiayong Liu, Tianwei Zhang

TL;DR

This work tackles the problem of bloated Docker images that carry unnecessary environment dependencies and enlarge attack surfaces. It proposes δ-SCALPEL, a static-data-dependency-analysis framework that extracts environment dependencies from project code and its dependencies, using a novel command linked list to model the image filesystem and prune nonessential content. Empirical evaluation on 80 images from 20 NPM projects shows δ-SCALPEL can reduce image sizes by up to 61.4% while preserving program functionality, and offers robustness to whether an entry point is explicitly defined. Compared to runtime-based slimming approaches, δ-SCALPEL demonstrates lower risk of breaking container behavior and a substantial reduction in the image attack surface, underscoring the practical impact for secure, efficient container deployment.

Abstract

Containerization is the mainstream of current software development, which enables software to be used across platforms without additional configuration of running environment. However, many images created by developers are redundant and contain unnecessary code, packages, and components. This excess not only leads to bloated images that are cumbersome to transmit and store but also increases the attack surface, making them more vulnerable to security threats. Therefore, image slimming has emerged as a significant area of interest. Nevertheless, existing image slimming technologies face challenges, particularly regarding the incomplete extraction of environment dependencies required by project code. In this paper, we present a novel image slimming model named δ-SCALPEL. This model employs static data dependency analysis to extract the environment dependencies of the project code and utilizes a data structure called the command linked list for modeling the image's file system. We select 20 NPM projects and two official Docker Hub images to construct a dataset for evaluating δ-SCALPEL. The evaluation results show that δ-SCALPEL can reduce image sizes by up to 61.4% while ensuring the normal operation of these projects.

An Effective Docker Image Slimming Approach Based on Source Code Data Dependency Analysis

TL;DR

This work tackles the problem of bloated Docker images that carry unnecessary environment dependencies and enlarge attack surfaces. It proposes δ-SCALPEL, a static-data-dependency-analysis framework that extracts environment dependencies from project code and its dependencies, using a novel command linked list to model the image filesystem and prune nonessential content. Empirical evaluation on 80 images from 20 NPM projects shows δ-SCALPEL can reduce image sizes by up to 61.4% while preserving program functionality, and offers robustness to whether an entry point is explicitly defined. Compared to runtime-based slimming approaches, δ-SCALPEL demonstrates lower risk of breaking container behavior and a substantial reduction in the image attack surface, underscoring the practical impact for secure, efficient container deployment.

Abstract

Containerization is the mainstream of current software development, which enables software to be used across platforms without additional configuration of running environment. However, many images created by developers are redundant and contain unnecessary code, packages, and components. This excess not only leads to bloated images that are cumbersome to transmit and store but also increases the attack surface, making them more vulnerable to security threats. Therefore, image slimming has emerged as a significant area of interest. Nevertheless, existing image slimming technologies face challenges, particularly regarding the incomplete extraction of environment dependencies required by project code. In this paper, we present a novel image slimming model named δ-SCALPEL. This model employs static data dependency analysis to extract the environment dependencies of the project code and utilizes a data structure called the command linked list for modeling the image's file system. We select 20 NPM projects and two official Docker Hub images to construct a dataset for evaluating δ-SCALPEL. The evaluation results show that δ-SCALPEL can reduce image sizes by up to 61.4% while ensuring the normal operation of these projects.
Paper Structure (26 sections, 8 figures, 2 tables, 2 algorithms)

This paper contains 26 sections, 8 figures, 2 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Static Code Analysis
  4. Docker Security
  5. Methodology
  6. Overview
  7. Environment Dependency Extraction
  8. Package Filtering
  9. Data Dependency Analysis
  10. Command Token Extraction
  11. Slim rootfs Construction
  12. Preprocess
  13. rootfs Modeling
  14. rootfs Pruning
  15. Slim Image Building
  16. ...and 11 more sections

Figures (8)

  • Figure 1: An example of security risk caused by image resource redundancy.
  • Figure 2: An example that the code needs to depend on the system environment.
  • Figure 3: An example of project code operation failure caused by image slimming using Slim.
  • Figure 4: The framework of $\delta$-SCALPEL.
  • Figure 5: A command linked list example for the sh command.
  • ...and 3 more figures