Regardless of the requirement, having the ability to determine the presence of a specific file in an image or container is useful. This requirement may be due to a forensic analysis need or to identify and prevent a certain supply-chain attack vector. Often it is the case that you would like to determine if an image or container contains a specific file. Now that we have a brief understanding of images and containers, we can look at what Terrier does. This would result in the following valid path on the container runtime host /var/lib/docker/overlay2//merged/usr/chris/stuff/helloworld.txt. For example, if the image contained a location such as /usr/chris/stuff and after creating a container from this image I created a file called helloworld.txt at the location /usr/chris/stuff. The "merged" folder contains the contents of the image and any changes that have occurred in the container since its creation. This location contains a few folders of interest, particularly the "merged" folder. This location is typically /var/lib/docker/overlay2//. The container runtime host is the host that is running and maintaining the containers. When images are utilised at runtime for a container, their contents become the contents of the running container and the layers are essentially extracted to a location on the container’s runtime host. If you only had access to a terminal and the tar command, you could pretty much get what you need from the image’s tar archive. The OCI format of images makes images relatively simple to work with which makes analysis relatively simple. The remainder of this blog post refers to OCI images as images.Įssentially images are tar archives that container multiple tar archives and meta-information that represent the “layers” of an image. Containers are run from images and currently the Open Containers Initiative (OCI) is the most popular format for images. In this blog post, I am not going to go into too much detail about containers and images (you can learn more here) however it is important to highlight a few characteristics of containers and images that make them interesting in terms of Terrier. In this blog post, I am going to show you how Terrier can help you identify and verify container and image components for a wide variety of use-cases, be it from a supply-chain perspective or forensics perspective. Announcing Terrier: An open-source tool for identifying and analysing container and image components. As part of our Blackhat Europe talk “Reverse Engineering and Exploiting Builds in the Cloud” we publicly released a new tool called Terrier.
0 Comments
Leave a Reply. |