Cimplifier: Automatically debloating containers

Vaibhav Rastogi; Drew Davidson; Lorenzo De Carli; Somesh Jha; Patrick McDaniel

doi:10.1145/3106237.3106271

Cimplifier: Automatically debloating containers

Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, Patrick McDaniel

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

71 Scopus citations

Abstract

Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not- may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95%, and processes even large containers in under thirty seconds.

Original language	English (US)
Title of host publication	ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering
Editors	Andrea Zisman, Eric Bodden, Wilhelm Schafer, Arie van Deursen
Publisher	Association for Computing Machinery
Pages	476-486
Number of pages	11
ISBN (Electronic)	9781450351058
DOIs	https://doi.org/10.1145/3106237.3106271
State	Published - Aug 21 2017
Event	11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017 - Paderborn, Germany Duration: Sep 4 2017 → Sep 8 2017

Publication series

Name	Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering
Volume	Part F130154

Other

Other	11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017
Country/Territory	Germany
City	Paderborn
Period	9/4/17 → 9/8/17

All Science Journal Classification (ASJC) codes

Software

Access to Document

10.1145/3106237.3106271

Cite this

Rastogi, V., Davidson, D., De Carli, L., Jha, S., & McDaniel, P. (2017). Cimplifier: Automatically debloating containers. In A. Zisman, E. Bodden, W. Schafer, & A. van Deursen (Eds.), ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (pp. 476-486). (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering; Vol. Part F130154). Association for Computing Machinery. https://doi.org/10.1145/3106237.3106271

Rastogi, Vaibhav ; Davidson, Drew ; De Carli, Lorenzo et al. / Cimplifier : Automatically debloating containers. ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. editor / Andrea Zisman ; Eric Bodden ; Wilhelm Schafer ; Arie van Deursen. Association for Computing Machinery, 2017. pp. 476-486 (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering).

@inproceedings{109ad798c3c443408664b3c70ff6d54a,

title = "Cimplifier: Automatically debloating containers",

abstract = "Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not- may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95%, and processes even large containers in under thirty seconds.",

author = "Vaibhav Rastogi and Drew Davidson and {De Carli}, Lorenzo and Somesh Jha and Patrick McDaniel",

note = "Funding Information: We are grateful to Alisa Maas for her feedback on the paper draft as well as to the anonymous reviewers for their valuable comments and suggestions. This material is based upon work supported by the National Science Foundation Grants No. CNS-1564105, CNS-1228700, CNS-1565321, and CNS-1228620 and the Defense Advanced Research Agency Contract No. FA8650-15-C-756. Any opinions, findings, conclusions and recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies. Publisher Copyright: {\textcopyright} 2017 Association for Computing Machinery.; 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017 ; Conference date: 04-09-2017 Through 08-09-2017",

year = "2017",

month = aug,

day = "21",

doi = "10.1145/3106237.3106271",

language = "English (US)",

series = "Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering",

publisher = "Association for Computing Machinery",

pages = "476--486",

editor = "Andrea Zisman and Eric Bodden and Wilhelm Schafer and {van Deursen}, Arie",

booktitle = "ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering",

}

Rastogi, V, Davidson, D, De Carli, L, Jha, S & McDaniel, P 2017, Cimplifier: Automatically debloating containers. in A Zisman, E Bodden, W Schafer & A van Deursen (eds), ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering, vol. Part F130154, Association for Computing Machinery, pp. 476-486, 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017, Paderborn, Germany, 9/4/17. https://doi.org/10.1145/3106237.3106271

Cimplifier: Automatically debloating containers. / Rastogi, Vaibhav; Davidson, Drew; De Carli, Lorenzo et al.
ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ed. / Andrea Zisman; Eric Bodden; Wilhelm Schafer; Arie van Deursen. Association for Computing Machinery, 2017. p. 476-486 (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering; Vol. Part F130154).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Cimplifier

T2 - 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017

AU - Rastogi, Vaibhav

AU - Davidson, Drew

AU - De Carli, Lorenzo

AU - Jha, Somesh

AU - McDaniel, Patrick

N1 - Funding Information: We are grateful to Alisa Maas for her feedback on the paper draft as well as to the anonymous reviewers for their valuable comments and suggestions. This material is based upon work supported by the National Science Foundation Grants No. CNS-1564105, CNS-1228700, CNS-1565321, and CNS-1228620 and the Defense Advanced Research Agency Contract No. FA8650-15-C-756. Any opinions, findings, conclusions and recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies. Publisher Copyright: © 2017 Association for Computing Machinery.

PY - 2017/8/21

Y1 - 2017/8/21

N2 - Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not- may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95%, and processes even large containers in under thirty seconds.

AB - Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not- may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95%, and processes even large containers in under thirty seconds.

UR - http://www.scopus.com/inward/record.url?scp=85030754519&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85030754519&partnerID=8YFLogxK

U2 - 10.1145/3106237.3106271

DO - 10.1145/3106237.3106271

M3 - Conference contribution

AN - SCOPUS:85030754519

T3 - Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering

SP - 476

EP - 486

BT - ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

A2 - Zisman, Andrea

A2 - Bodden, Eric

A2 - Schafer, Wilhelm

A2 - van Deursen, Arie

PB - Association for Computing Machinery

Y2 - 4 September 2017 through 8 September 2017

ER -

Rastogi V, Davidson D, De Carli L, Jha S, McDaniel P. Cimplifier: Automatically debloating containers. In Zisman A, Bodden E, Schafer W, van Deursen A, editors, ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Association for Computing Machinery. 2017. p. 476-486. (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering). doi: 10.1145/3106237.3106271

Cimplifier: Automatically debloating containers

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this