From: Robert Larson <robert@sixthings.com>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] Running untrusted software
Date: Wed, 18 Jan 2006 10:14:48 -0600 [thread overview]
Message-ID: <200601181014.48851.robert@sixthings.com> (raw)
In-Reply-To: <43CE578F.4090702@comcast.net>
On Wednesday 18 January 2006 08:58 am, Douglas Breault Jr wrote:
> Hello,
Hello!
> I am being forced to run software on my computer that I do not
> inherently trust. It is supposed to collect a few pieces of information,
> mainly my mac addresses and use the network. It is a one-time use CSA
> (client security agent). It uses a csh script to unpack a "proprietary
> binary" that we cannot see the source. There is no assurance it doesn't
> collect other information or change anything on my computer.
If I were in your shoes I would begin a forensic analysis. You may use the
commands strings and objdump against a binary executable, but if they are
serious, these may allude you. As well, if you can run the program freely or
in a sandbox of some sort then you could use tools such as lsof, ltrace,
strace, and tcpdump.
> I was curious as to what is the best way to handle this and situations
> like these. In this instance, I was assuming downloading, and running on
> a LiveCD would seem like the best policy. What if it uses methods to
> discover that and I need to run it on my real installation? Is a chroot
> jail the next best thing? As far as I know, to make a chroot jail I
> merely copy programs and libraries inside a folder with the proper /
> hierarchy and chroot into it. Is it more complex than this and are there
> any guides?
Perhaps a virtual server may be favorable...
A possible solution might be linux vserver. It's a little bit of an advanced
chroot. This would respond with the proper MAC, and there would be some
control on what it actually sees. Here is info on vservers:
http://linux-vserver.org/short+presentation
http://www.gentoo.org/doc/en/vserver-howto.xml
UML (usermode linux) might be another possibility, and there's quite a bit
along the lines of forensics support in the community as quite a few people
use it for honeypots. In taking this approach you could monitor the
activities of the binary _very_ closely.
> --
> How do I know the past isn't fiction designed to account for the
> discrepancy between my immediate physical sensations and my state of mind?
Hehe, nice!
HTH,
Robert Larson
--
gentoo-security@gentoo.org mailing list
next prev parent reply other threads:[~2006-01-18 16:20 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-18 14:58 [gentoo-security] Running untrusted software Douglas Breault Jr
2006-01-18 15:14 ` Oliver Schad
2006-01-18 15:29 ` Douglas Breault Jr
2006-01-18 16:22 ` Oliver Schad
2006-01-18 17:37 ` Douglas Breault Jr
2006-01-18 16:28 ` Brandon Edens
2006-01-21 20:48 ` Panagiotis Atmatzidis
2006-01-18 16:14 ` Robert Larson [this message]
2006-01-18 16:22 ` Robert Larson
-- strict thread matches above, loose matches on Subject: below --
2006-01-18 15:24 Johnson, Maurice E CTR NSWCDL-K74
2006-01-18 15:36 ` Oliver Schad
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200601181014.48851.robert@sixthings.com \
--to=robert@sixthings.com \
--cc=gentoo-security@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox