S Lab

[Sibin Mohan]

Systems Security Research Group at GWU and University of Illinois

Container Debloating: Reducing Code Bloat in Container-based Applications

Team Members



Application containers, such as Docker containers, are light-weight virtualization environments that “contain” applications together with their resources and configuration information. While they are becoming increasingly popular as a method for agile software deployment, current techniques for preparing containers add unnecessary bloat into them: they often include unwanted files that increase the container size by several orders of magnitude. This not only leads to storage and network transfer issues but also security concerns. The problem is well-recognized but available solutions are mostly ad-hoc and not largely deployed. Cimplifier debloats a container by using dynamic analysis to identify the resources necessary to the container and then removing the unnecessary resources. However, dynamic analysis uses model executions or test runs, which if incomplete, may not allow detection of all the necessary resources. Therefore, it is important to explore other directions towards container debloating. These include a new intermediate representation allowing incorporation of multiple techniques, such as dynamic analysis and static analysis, for debloating; and test case augmentation using symbolic execution.


This project is supported by a grant from the Office of Naval Reserach (ONR).