Motivation

Currently, checkpointctl provides powerful tools for inspecting a single checkpoint, but it lacks built-in functionality to compare two checkpoint states.
A diff mechanism would be valuable for several reasons:

• Debugging:
• Security analysis: highlighting attacker-induced modifications and revealing suspicious or unauthorized changes.
• Forensics: identifying the sequence of steps taken during an intrusion by comparing intermediate snapshots.
• Future optimization: if incremental saving of checkpoints is ever introduced, a diffing capability would make it possible to store only the differences instead of generating a full new checkpoint.

This feature would significantly improve the ability to pinpoint modifications, especially those introduced by an attacker, and help analysts reconstruct the attack chain.

Proposed Functionality

Introduce a new command, for example:

checkpointctl diff <checkpointA> <checkpointB>

The command should be capable of comparing two checkpoints and reporting differences across multiple dimensions, such as:

• Process tree: Added or removed processes, Differences in PIDs, PPIDs, command lines
• Memory maps: New or removed VMAs, Changed permissions (rwx), Differences in file-backed mappings, Changes in offset or size
• Memory pages: Page-level diffing (dirty vs. unchanged pages), Detection of high-entropy or potentially sensitive page differences, Reporting added or removed shared pages
• File descriptors: New, closed, or modified file descriptors, Differences in socket state or file offsets
• Environment variables: Changes in environment variable content, Added or removed sensitive variables
• CRIU images: Structural diffs of CRIU image files, Differences in metadata headers

I’m interested in your feedback on this feature and whether it aligns with the direction of the project. If it’s considered useful, I would be glad to contribute to its design and implementation.