A Systematic Approach to User File Security: From Primary Validation to Isolation in Docker

Oleg Ekhlakov

Abstract


The article presents a description of a system approach to ensuring the security of user files in containerized environments. A system-integrated approach to protecting user files in containerized environments is studied. The paper proposes and substantiates a multi-level algorithm for ensuring the security of user files that integrates validation, threat modeling, and isolation procedures into a single pipeline. The algorithm described in the paper includes the stages of primary static and dynamic analysis of loaded information, preventive threat modeling of the Docker container life cycle using attack trees and the DREAD model, and the use of a set of isolation measures. Clair, Trivy, and Docker Scout are used for static scanning of images, which allows identifying vulnerabilities at the container layer level even before it is launched. In parallel, dynamic monitoring is organized using Falco and Sysdig Secure, which ensures continuous detection of anomalies and unsuspected exploits. Container isolation mechanisms include the use of user namespaces, seccomp profiles, and privilege and resource restrictions, which significantly reduces the possibility of privilege escalation. The presented results have practical value for researchers and information security architects working on formalizing heterogeneous trust models and developing multi-level mechanisms for validating user files, as well as for DevSecOps engineers and Docker platform administrators seeking to integrate dynamic isolation methods and advanced anomaly detection strategies into corporate CI/CD pipelines.

 


Full Text:

PDF (Russian)

References


Aktolga İ. T. A study on analysis and detection of container escape vulnerabilities in Docker : дис. – Middle East Technical University (Turkey), 2024.

VS D. P., Sethuraman S. C., Khan M. K. Container security: precaution levels, mitigation strategies, and research perspectives //Computers & Security. – 2023. – Т. 135. – С. 103490.

Borglund N. Security and Application Deployment using Docker. – 2024. – С. 15-35.

Alyas T. et al. Container performance and vulnerability management for container security using docker engine //Security and Communication Networks. – 2022. – Т. 2022. – №. 1. – С. 1-8.

Shi H. et al. Dr. Docker: A Large-Scale Security Measurement of Docker Image Ecosystem //Proceedings of the ACM on Web Conference 2025. – 2025. – С. 2813-2823.

Mubanda D. et al. Evaluating docker container security through penetration testing: a smart computer security //2023 International Conference on Communication, Security and Artificial Intelligence (ICCSAI). – IEEE, 2023. – С. 415-419.

Rajyashree R. et al. An Empirical Investigation of Docker Sockets for Privilege Escalation and Defensive Strategies //Procedia Computer Science. – 2024. – Т. 233. – С. 660-669.

Sah K. P. et al. Advancing of Microservices Architecture with Dockers //2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT). – IEEE, 2024. – С. 1-6.

Mubanda D. et al. Evaluating docker container security through penetration testing: a smart computer security //2023 International Conference on Communication, Security and Artificial Intelligence (ICCSAI). – IEEE, 2023. – С. 415-419.

Mahavaishnavi V., Saminathan R., Prithviraj R. Secure container Orchestration: A framework for detecting and mitigating Orchestrator-level vulnerabilities //Multimedia Tools and Applications. – 2024. – С. 1-21.


Refbacks

  • There are currently no refbacks.


Abava  Кибербезопасность ИБП для ЦОД СНЭ

ISSN: 2307-8162