Static detection of vulnerabilities in base images of software containers

US 10,223,534 B2
Filed: 10/13/2016
Issued: 03/05/2019
Est. Priority Date: 10/15/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting vulnerabilities in base images of software containers, comprising:

receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container;

extracting contents of each image layer of the at least one base image;

scanning the extracted contents to detect at least one vulnerability;

generating a detection event, when the at least one vulnerability is detected;

generating a unitary signature for each layer of the at least one base image when no vulnerability is detected;

determining, after saving the unitary signature in a database, if repeated scanning of the at least one base image is required based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned again when it is determined that repeated scanning is required; and

generating a safe event when no vulnerability is detected.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting vulnerabilities in base images of software containers are disclosed. The method includes receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container; extracting contents of each image layer of each base image; scanning the extracting contents to detect at least one vulnerability; and generating a detection event, when the at least one vulnerability is detected.

85 Citations

View as Search Results

33 Claims

1. A method for detecting vulnerabilities in base images of software containers, comprising:
- receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container;
  
  extracting contents of each image layer of the at least one base image;
  
  scanning the extracted contents to detect at least one vulnerability;
  
  generating a detection event, when the at least one vulnerability is detected;
  
  generating a unitary signature for each layer of the at least one base image when no vulnerability is detected;
  
  determining, after saving the unitary signature in a database, if repeated scanning of the at least one base image is required based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned again when it is determined that repeated scanning is required; and
  
  generating a safe event when no vulnerability is detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein generating the unitary signature for each layer of the at least one base image further comprises:
    - computing a check-sum over the contents of each image layer of the at least one base image.
  - 3. The method of claim 1, wherein generating the unitary signature for each layer of the at least one base image further comprises:
    - computing a hash-function over the contents of each image layer of the at least one base image.
  - 4. The method of claim 1, further comprising:
    - checking if the at least one base image was previously scanned based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned to detect the at least one vulnerability for the at least one base image that was not previously scanned.
  - 5. The method of claim 4, wherein checking if the at least one base image was previously scanned further comprises:
    - comparing the generated unitary signatures of the least one base image to unitary signatures of saved scanned layers of base images from the database.
  - 6. The method of claim 1, further comprising:
    - exporting the at least one base image from the at least one source to a host device.
  - 7. The method of claim 1, wherein each of the at least one source includes at least one of:
    - a continuous integration system for base images, a host device and an image registry.
  - 8. The method of claim 1, wherein extracting the contents of each image layer of the at least one base image further comprises:
    - reformatting the at least one base image into a data structure.
  - 9. The method of claim 8, wherein the data structure includes at least one of:
    - a file having a standard format, and a filesystem structure.
  - 10. The method of claim 1, wherein the at least one vulnerability includes at least any one of:
    - malware, a vulnerable software library installed in the at least one base image, and a vulnerable software library installed in the at least one base image.
  - 11. The method of claim 9, wherein scanning to identify at least malware further comprises:
    - receiving intelligence information, wherein the intelligence information includes at least definitions of malwares; and
      
      scanning the extracted contents to identify at least one definition of the at least one type of malware defined in the intelligence information.
  - 12. The method of claim 11, wherein the malware includes at least one of:
    - previously known malware, and newly discovered malware.
  - 13. The method of claim 11, wherein scanning to identify a vulnerable software library installed in the at least one base image further comprises:
    - determining an identifier of each software library installed in the at least one base image; and
      
      comparing each determined identifier against a list of vulnerable software libraries.
  - 14. The method of claim 11, wherein scanning to identify a vulnerable software package installed in the at least one base image further comprises:
    - determining an identifier of each software package installed in the at least one base image; and
      
      comparing each determined identifier against a list of vulnerable software packages.
  - 15. The method of claim 1, wherein the generating the detection event further comprises:
    - halting a process of updating the source with the least one base image.
  - 16. The method of claim 1, wherein the detection of vulnerabilities in base images is performed prior to execution of the at least software container.

17. A host device for detecting vulnerabilities in software containers at runtime, comprising:
- a processing system; and
  
  a memory, the memory containing instructions that, when executed by the processing system, configure the host device to;
  
  receive an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container;
  
  extract contents of each image layer of the at least one base image;
  
  scan the extracted contents to detect at least one vulnerability;
  
  generate a detection event, when the at least one vulnerability is detected; and
  
  generate a unitary signature for each layer of the at least one base image when no vulnerability is detected;
  
  determine, after saving the unitary signature in a database, if repeated scanning of the at least one base image is required based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned again when it is determined that repeated scanning is required; and
  
  generate a safe event when no vulnerability is detected.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The host device of claim 17, wherein the host device is further configured to:
    - compute a check-sum over the contents of each image layer of the each base image.
  - 19. The host device of claim 17, wherein the host device is further configured to:
    - compute a hash-function over the contents of each image layer of the each base image.
  - 20. The host device of claim 17, wherein the host device is further configured to:
    - check if the at least one base image was previously scanned based on the unitary signature generated for each layer of the each base image, wherein the contents of each layer are extracted and scanned to detect the at least one vulnerability for the at least one base image that was not previously scanned.
  - 21. The host device of claim 20, wherein the host device is further configured to:
    - compare the generated unitary signatures of the least one base image to unitary signatures of saved scanned image layers of base images from the database.
  - 22. The host device of claim 17, wherein the host device is further configured to:
    - export the at least one base image from the at least one source to the host device.
  - 23. The host device of claim 17, wherein the at least one source includes at least one of:
    - a continuous integration system for base images, the host device and an image registry.
  - 24. The host device of claim 17, wherein the host device is further configured to:
    - reformat the at least one base image into a data structure.
  - 25. The host device of claim 24, wherein the data structure includes at least one of:
    - a file having a standard format, and a filesystem structure.
  - 26. The host device of claim 17, wherein the at least one vulnerability includes at least any one of:
    - malware, a vulnerable software library installed in the at least one base image, and a vulnerable software library installed in the at least one base image.
  - 27. The host device of claim 26, wherein the host device is further configured to:
    - receive intelligence information, wherein the intelligence information includes at least definitions of malwares; and
      
      scan the extracted contents to identify at least one definition of the at least one type of malware defined in the intelligence information.
  - 28. The host device of claim 18, wherein the malware includes at least one of:
    - previously known malware, and newly discovered malware.
  - 29. The host device of claim 18, wherein the host device is further configured to:
    - determine an identifier of each software library installed in the at least one base image; and
      
      compare each determined identifier against a list of vulnerable software libraries.
  - 30. The host device of claim 29, wherein the host device is further configured to:
    - determine an identifier of each software package installed in the at least one base image; and
      
      compare each determined identifier against a list of vulnerable software packages.
  - 31. The host device of claim 17, wherein the host device is further configured to:
    - halt a process of updating the source with the least one base image.
  - 32. The host device of claim 17, wherein the detection of vulnerabilities in base images is performed prior to execution of the at least software container.

33. A non-transitory computer readable medium having stored thereon instructions for causing a processing system to execute a process for detecting vulnerabilities in software containers at runtime, the process comprising:
- receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container;
  
  extracting contents of each image layer of the at least one base image;
  
  scanning the extracted contents to detect at least one vulnerability;
  
  generating a detection event, when the at least one vulnerability is detected;
  
  generating a unitary signature for each layer of the at least one base image when no vulnerability is detected;
  
  determining, after saving the unitary signature in a database, if repeated scanning of the at least one base image is required based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned again when it is determined that repeated scanning is required; and
  
  generating a safe event when no vulnerability is detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Twistlock, Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Twistlock, Ltd. (Palo Alto Networks Incorporated)
Inventors
Stopel, Dima, Bernstein, Ben
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/292,915
Publication Number

US 20170109536A1
Time in Patent Office

873 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06F 2221/033 Test or assess software

Static detection of vulnerabilities in base images of software containers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Static detection of vulnerabilities in base images of software containers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links