News & Events

Extracting the content of a QNX IFS Image

Evgeny Dratva | October 19, 2017
QNX banner

How to approach dumping a QNX Image

While integrating Karamba protection into a QNX IFS image, I found that I first needed to extract the contents of a ready IFS image in order to inspect the binaries on the build machine for Karamba whitelisting purposes. I needed to know what those binaries would look like in their “final” form, after they’ve been stripped of debug symbols and otherwise modified by the IFS building utility.

Initially, I tried to use the dumpifs utility provided by QNX as part of their SDP 6.6 development framework. According to the dumpifs documentation, “-d” switch (specify a folder to which the files are dumped) should be used to dump the files to a specified folder while preserving the file structure of the IFS.

Difficulties in dumping an IFS image

Unfortunately, this didn’t work. I would get an error message, such as “dumpifs: Unable to open proc/boot/procnto-instr: No such file or directory”. Based on this, I concluded that dumpifs expects the directory structure of the IFS to be already present in the folder that I was trying to dump the files into. I needed to find another way to solve this problem.

On my next attempt, I used another command line switch “-b” (again combined with “-d”) which dumps the files in a “flat” manner ignoring the directory structure. This only partially worked. If there is more than one file with the same name in the IFS, only the last one encountered by dumpifs will be dumped. Since we need to whitelist every binary that goes into the image, all files (including those with the same name) must be dumped or else the process will be pointless. This is further complicated by the fact that Karamba Security offers to edit the whitelist policy on the management tool and in this QNX case we are not able to reflect the directory structure on the policy editing page.

Solving the QNX dilemma

After attacking this problem from a number of angles, the solution I found is to “learn” and recreate the IFS directory structure on our build machine and then use dumpifs without the “-b” option to dump the files to this directory structure. The process should be as follows:

  1. To learn the IFS directory structure, you can run dumpifs without any command line switches and redirect the output to a text file. This will print the contents of the IFS with full paths of all files onto the text file.

  2. Write a small script (bash will do) that parses the text file and recreates the folder structure of the IFS using full files paths that were written there by the dumpifs.

  3. Run dumpifs with “-d” option to dump the contents of the image to the newly created directory structure.

This is what the IFS directory structure printed by dumpifs looks like:

QNX IFS Image

If you have solved this problem using alternate methods, or if you want to share your experience using this method, please write to us!

Learn more about Autonomous Security Solutions

Read more

Get Karamba’s Autonomous Security White Paper

Loc

USA

41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 248-574-5171

Loc

Israel

24 HaNagar Street
Hod Hasharon
45277-13
Tel: +972 9 88 66 113

Loc

Germany

Wasserburger
Landstr. 264, Munich
81827
Tel: +49 151 1471 6088