timemachine is a tool that automatically creates a Docker image of a Debian base
system at a specific time in the past.
timemachine is used to reproduce security vulnerabilities. In order to do so,
a system with a specific package version, e.g., the vulnerable glibc 2.9 in
the CVE-2015-7547, and more importantly its dependencies must be constructed.
However, the current Debian package repositories are always up-to-date, e.g.,
containing the patched version of glibc.
timemachine uses the Debian’s debootstrap utility to create a Docker image of
a base Debian system at a specific time in the past, e.g, 20151231, such that
the base system contains the vulnerable version of a specific package, e.g.,
glibc 2.9. To make sure dependencies of the package are consistent, the base
system is configured to fetch dependencies from a Debian snapshot repository.
[[
]]
timemachine can run on any host supporting docker.
Three required parameters are:
- Output directory on the host holding the generated Docker image, e.g.,
/tmp/timemachine - Debian distribution such as
jessie, wheezy, squeeze, lenny - datetime in YYYYMMDD format, e.g.,
20151231
Example usage:
$ docker run -t --rm --privileged \
-v /tmp/timemachine/:/tmp/timemachine/ \
csldepend/timemachine \
jessie \
20151231
Image created! Import by: docker import /tmp/timemachine/jessie-20151231.tar jessie:20151231The resulting docker image jessie-20151231.tar is stored in a mounted
directory on the host, e.g., /tmp/timemachine. Note: if you need to change the output
directory on the host, use the -v flag as folows: -v <output dir on the
host>:/tmp/timemachine/ (Don’t modify the part after the colon!).
Example usage:
$ docker import /tmp/timemachine/jessie-20151231.tar jessie:20151231
386ab9361803666d1bb592b7970f784f9faba6cd0f367aa3ad277762f8476e80$ docker run -ti jessie:20151231 cat /etc/apt/sources.list
deb http://snapshot.debian.org/archive/debian/20151231T000000Z jessie mainPhuong Cao <pcao3 at illinois dot edu>