[CRIU] restore attacked CRIU image for forensics

Dave Turvene - Work dturvene at dahetral.com
Wed May 2 04:16:01 MSK 2018


We have a high-security application using CRIU to checkpoint and restore. 

If an attack (e.g. buffer overflow detected by our n-variant software)
causes a trip-wire to be triggered we call this
checkpoint-on-divergence.  The application is immediately checkpointed
to capture the attack.  A previous checkpoint image is used to restart
the application.  Various code transforms take place on the CRIU image
before the restart to close the attack vector (long story there...)

I'm investigating forensics of the checkpoint-on-divergence image.  I
can see CRIU running through the steps of loading the checkpoint image
files and then running it - which loses the attack info.

What I would *like* is to reload the CRIU image and NOT run it, but
break/stop on the RIP using the regs, VMAs, etc. so we can inspect the
why an attack was detected.

I've been messing around with running criu DEBUG=1 under gdb but it
seems like it always reloads the application to a running state on restore.

One idea I had is to insert an x86 "int $3" instruction at the IP to
make sure it stops.  I think I could do this in the cr_restore routine.

Any other ideas?  It's an interesting problem...

Thanks!Dave Turvene



More information about the CRIU mailing list