A long time ago, I wrote a program for personal use which I called "FileHasher", or something like that.
FileHasher (or whatever I called it) -- was basically a "poor man's antivirus utility" -- that is, it didn't scan memory, didn't check boot blocks, didn't scan system [E|EE]PROMS like BIOS, and it knew nothing about rootkits -- or how to detect them.
But what FileHasher did do was to take a point-in-time "metadata snapshot" -- of all of the files on my PC -- their path, their filename, their size, their date, and a custom 16 or 32 byte hash of their contents. This data was put into a single simple space or tab or comma delimited text file (a "poor man's database" <g>) which contained in its filename the date and time (as a string) when this file was generated.
The idea was, I'd run a completely fresh OS install. Then, as the absolute first thing I'd do after the OS install, I'd copy "FileHasher" onto my PC via USB drive, and run it to generate a metadata snapshot file of all of the system's files...
FileHasher could then be run at any time subsequent -- to generate an additional "point-in-time"
metadata snapshot information file.
Once two such files were created from two points in time -- FileHasher could compare them -- and list ALL files that had been created, deleted, or modified -- since the initial or previous run.
The idea was, that a virus, if it were to exist, would probably create/modify/delete at least one file -- and FileHasher in reporting mode (if used with diligence, say, before and after software installs, and at various other dates/times) -- would help a person with a keen eye -- in finding/identifying/fixing what the problem was, based on the list of created/deleted/modified files...
Tracking the Software Dark Matter in the various layers of container(ized) images -- sounds like a very similar (and good!) idea!
Will it solve every possible container security problem?
Probably not -- but it's a good step in the right direction!
(Was my "virus checker" perfect? No! But it was better than no virus checker! <g> ("A Little Bit Of Something" > "Nothing" -- you know, from Philosophy 101! <g>))
FileHasher (or whatever I called it) -- was basically a "poor man's antivirus utility" -- that is, it didn't scan memory, didn't check boot blocks, didn't scan system [E|EE]PROMS like BIOS, and it knew nothing about rootkits -- or how to detect them.
But what FileHasher did do was to take a point-in-time "metadata snapshot" -- of all of the files on my PC -- their path, their filename, their size, their date, and a custom 16 or 32 byte hash of their contents. This data was put into a single simple space or tab or comma delimited text file (a "poor man's database" <g>) which contained in its filename the date and time (as a string) when this file was generated.
The idea was, I'd run a completely fresh OS install. Then, as the absolute first thing I'd do after the OS install, I'd copy "FileHasher" onto my PC via USB drive, and run it to generate a metadata snapshot file of all of the system's files...
FileHasher could then be run at any time subsequent -- to generate an additional "point-in-time" metadata snapshot information file.
Once two such files were created from two points in time -- FileHasher could compare them -- and list ALL files that had been created, deleted, or modified -- since the initial or previous run.
The idea was, that a virus, if it were to exist, would probably create/modify/delete at least one file -- and FileHasher in reporting mode (if used with diligence, say, before and after software installs, and at various other dates/times) -- would help a person with a keen eye -- in finding/identifying/fixing what the problem was, based on the list of created/deleted/modified files...
Tracking the Software Dark Matter in the various layers of container(ized) images -- sounds like a very similar (and good!) idea!
Will it solve every possible container security problem?
Probably not -- but it's a good step in the right direction!
(Was my "virus checker" perfect? No! But it was better than no virus checker! <g> ("A Little Bit Of Something" > "Nothing" -- you know, from Philosophy 101! <g>))