package-analysis icon indicating copy to clipboard operation
package-analysis copied to clipboard

Published 20 hours ago verified publisher icon ossf

Make the images used for dynamic analysis more representative of a standard Linux install

Open calebbrown opened this issue 4 years ago • 10 comments
trafficstars

Currently the base images used are the *-slim variants.

To ensure we capture common attack scenarios the base images should include things like:

  • curl, wget
  • git, mercurial
  • git config
  • dummy key files (ssh, aws, etc - bonus points if these are canarytokens.org or similar)

Other nice-to-haves might be:

  • a common cryptowallet
  • browser profile (e.g. session cookies)

calebbrown avatar Nov 03 '21 21:11 calebbrown

Yes!

One technical issue I've encountered though is that storing large images in the base analysis image is really slow. We might need to find a better way to run these analysis images.

oliverchang avatar Nov 03 '21 23:11 oliverchang

There are a few options here:

  1. pull all the images when each worker pod starts
  2. pull the images the first time they are needed (this is basically how it works now, but it happens during the podman run step)
  3. build analysis images for each ecosystem with the sandbox image baked in, and have different k8s clusters for different ecosystems.

My preference would be for 2 as it trades-off the startup latency against the ability to pull in larger images.

calebbrown avatar Nov 03 '21 23:11 calebbrown

I agree 2 would be ideal, but I noticed a lot of slowness with pulling on demand that we'd have to solve (taking several minutes even with the current size of images). Maybe the filesystem overlay or some other configuration is not set up optimally for this.

oliverchang avatar Nov 03 '21 23:11 oliverchang

Wont this help https://cloud.google.com/blog/products/containers-kubernetes/introducing-container-image-streaming-in-gke

naveensrinivasan avatar Nov 04 '21 17:11 naveensrinivasan

Thanks @naveensrinivasan that looks interesting, but I'm unsure of how easily this works with our setup and nested containers..

To make 2) work, one thing to explore might be to set up a persistent SSD storage for our workers (and mount that into /var/lib/containers or wherever podman stores images) which might make pulling both faster and allow caching.

oliverchang avatar Nov 23 '21 05:11 oliverchang

Some packages also fail to install properly because our image is too minimal.

e.g. @brixel/[email protected] requires git:

Error
2021-11-25 00:04:16.180 GMTnpm ERR! code ENOENT
Error
2021-11-25 00:04:16.180 GMTnpm ERR! syscall spawn git
Error
2021-11-25 00:04:16.180 GMTnpm ERR! path git
Error
2021-11-25 00:04:16.180 GMTnpm ERR! errno -2
Error
2021-11-25 00:04:16.180 GMTnpm ERR! enoent spawn git ENOENT
Error
2021-11-25 00:04:16.180 GMTnpm ERR! enoent This is related to npm not being able to find a file.
Error
2021-11-25 00:04:16.180 GMTnpm ERR! enoent

oliverchang avatar Nov 25 '21 00:11 oliverchang

Now available in sandbox images:

  • git
  • curl
  • wget

calebbrown avatar Mar 23 '22 23:03 calebbrown

There is also sudo now in all sandbox images #395

maxfisher-g avatar Dec 21 '22 00:12 maxfisher-g

It is unclear when this issue can be marked as complete.

At the very least the images should not be "slim" variants, but more full ubuntu server or workstation variants.

calebbrown avatar Dec 21 '22 00:12 calebbrown

Some other small things to add - netcat, ip tools.

Need someone to make a list based on examining commands executed by packages and and what programs they try to access

maxfisher-g avatar Dec 21 '22 00:12 maxfisher-g