No silver bullets in virtualisation & containerisation (even with Docker)

Docker isn’t actually everywhere, but the open source software designed to allow a Linux application (and its dependencies) to be packaged as a container has enjoyed massive success recently.

Search AWS recently reported that, “AWS Elastic Beanstalk has updated its support for a Linux container that experts say could grow into a new standard for application portability among Linux servers.”

That Linux container, is, logically then, Docker.


Software application developers can package applications using Docker version 1.0 “on their own” so-to-speak — or, equally, they have the option to provide a text-based Docker file with instructions on how to create an image.

Container-based virtualisation techniques employed with Docker work to isolate software applications from each other on a shared operating system.

Containers are portable across different Linux distributions and so, logically then, the software applications themselves are able to run in any Linux environment.

What does Docker compete with?

So you would naturally expect Docker to compete with some pre-existing technologies and it does — it aligns up against proprietary application containers such as VMware vApp technology and infrastructure abstraction tools like Chef.

Principal consultant at Cigital is Paco Hope.

Hope reminds us that Docker is cross-platform, allowing developers to target Mac, Windows, and Linux easily.

He asserts that allows developers to package up all the various libraries, bits and pieces that are necessary (without requiring a user to download and install them all) and — it also “should have” the security benefit of being a sandbox that can’t be escaped.

But an exploit was released recently that allows code that is supposed to be contained inside a Docker container to access files in the operating system where it is running.

A developer who sends you a docker-based application, could actually get files off your PC, even though that’s supposed to be prevented by Docker’s technology.

Hope explains the situation is full below:


“Much in the way that mobile devices can be jailbroken, virtualisation containers of all kinds can be susceptible to malicious code. Multi-tenant computer systems resemble multi-tenant buildings in real life: Often the defences that protect one tenant from another are much weaker than the defences that protect all tenants from random outsiders. Any part of the application that is virtualised this way is immediately less trustworthy than it would be running on a company’s own servers. Software designers must consider malicious containers when designing security controls, despite the fact that virtualisation might be improving security in many other ways. This is a bug we should expect to be fixed quickly, it’s not a flaw in virtualisation. Virtualisation and containerisation are generally good things. No technology is a security silver bullet, however.”


Start the conversation

Send me notifications when other members comment.

Please create a username to comment.