Organisation: CRIU
Mentors: Adrian Reber, Radostin Stoyanov
Proposal: Forensic analysis of container checkpoints
GSoC 2023 project page: Forensic analysis of container checkpoints
CRIU (Checkpoint/Restore In Userspace) is a Linux software tool that make it possible to freeze a running process or application at a specific point in time and then later restore it to that exact state. It's like taking a snapshot of the process's current state, including its memory, files, and other resources, and then being able to resume the process from that snapshot later on.
crit (CRiu Image Tool) serves as both a command-line interface and a package within go-criu offering low level features for decoding, encoding, and manipulating CRIU image files.
checkpointctl, a CLI tool written in Go, is designed for inspecting checkpoints generated by CRIU. It provides an intuitive and user-friendly approach to extracting valuable information from container checkpoints.
When using CRIU to perform a checkpoint of a container, it generates an archive containing all essential data about the container's state at the moment of checkpointing. The objective of this Google Summer of Code project was to extend checkpointctl with forensic analysis capabilities. These capabilities are especially helpful for troubleshooting and investigation. For example, if a container is suspected to have been compromised, checkpointctl will allow you peek inside without interfering with the normal operation of the runing container. It's like having a magnifying glass to see what's going on inside the container without disturbing anything.
My contribution during this GSoC project was mainly about enhancing go-criu and checkpointctl with memory analysis features. The goal was to make checkpointctl a user-friendly CLI tool for memory analysis of container checkpoints.
In the go-criu repository, I expanded the crit package by incorporating low-level memory analysis features for CRIU images.
Pull requests:
- crit: add features to retrieve memory pages
- crit: add FindPs method on PsTree
- crit: add method to retrieve shared memory size of process
I integrated the memory analysis features implemented from go-criu into the checkpointctl.
My work on checkpointctl included update of existing sub-command and implementation of new sub-commands designed to provide a user-friendly memory analysis experience for container checkpoints.
Pull requests:
- Optimize archive unpacking
- show: add support for listing multiple checkpoints
- feat: add new
inspectsub-command - feat: display process tree with command line arguments
- feat: display process tree with environment variables
- feat: add
memparsesub-command
To demonstrate how checkpointctl can be used as a forensic analysis tool for container checkpoints, I have created a tutorial article here that demonstrates the features implemented during this GSoC.
Before the GSoC coding period began, I dedicated time to learning about Linux processes and memory management. I read various materials on this topic, including articles, book chapters, and forums. During the GSoC coding period, the most challenging part for me was when I needed to delve into the CRIU source code to understand how some image files are generated. While I can't claim to have grasped everything, I learned a lot from the feedback and discussions with my mentors, along with inspecting the CRIU source code. Another challenge was designing meaningful command-line sub-commands and flags for checkpointctl. Thankfully, my mentors were always available to provide insights, and suggest improvements to my initial ideas. This project has been a priceless opportunity for me to expand my knowledge, particularly about Linux processes and memory management.
For the future, I intend to keep contributing to CRIU. In relation to this GSoC project, there are a few tasks that I plan to continue working on:
- Extend
memparsesub-command with search functionality to allow user to search for a specific pattern in process memory pages (Suggested by: Radostin Stoyanov). - Extend
memparsesub-command with memory pages editing features (Suggested by: Radostin Stoyanov). - Add a new feature to
checkpointctlthat allow user to view bash process history. This feature will look like of thehistorycommand.
I am grateful to my mentors, Adrian Reber and Radostin Stoyanov, for their guidance and support throughout this GSoC journey. I would also like to acknowledge my co-mentee, Prajwal S N, for his valuable contributions and insightful reviews. Finally, I express my sincere appreciation to the CRIU organization and the Google Summer of Code program for providing me with this invaluable opportunity for learning and contributing to FOSS.