public inbox for gentoo-security@lists.gentoo.org
 help / color / mirror / Atom feed
From: Robert Larson <robert@sixthings.com>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] Running untrusted software
Date: Wed, 18 Jan 2006 10:14:48 -0600	[thread overview]
Message-ID: <200601181014.48851.robert@sixthings.com> (raw)
In-Reply-To: <43CE578F.4090702@comcast.net>

On Wednesday 18 January 2006 08:58 am, Douglas Breault Jr wrote:
> Hello,
Hello!

> I am being forced to run software on my computer that I do not
> inherently trust. It is supposed to collect a few pieces of information,
> mainly my mac addresses and use the network. It is a one-time use CSA
> (client security agent). It uses a csh script to unpack a "proprietary
> binary" that we cannot see the source. There is no assurance it doesn't
> collect other information or change anything on my computer.
If I were in your shoes I would begin a forensic analysis.  You may use the 
commands strings and objdump against a binary executable, but if they are 
serious, these may allude you.  As well, if you can run the program freely or 
in a sandbox of some sort then you could use tools such as lsof, ltrace, 
strace, and tcpdump.

> I was curious as to what is the best way to handle this and situations
> like these. In this instance, I was assuming downloading, and running on
> a LiveCD would seem like the best policy. What if it uses methods to
> discover that and I need to run it on my real installation? Is a chroot
> jail the next best thing? As far as I know, to make a chroot jail I
> merely copy programs and libraries inside a folder with the proper /
> hierarchy and chroot into it. Is it more complex than this and are there
> any guides?
Perhaps a virtual server may be favorable...

A possible solution might be linux vserver.  It's a little bit of an advanced 
chroot.  This would respond with the proper MAC, and there would be some 
control on what it actually sees.  Here is info on vservers:
http://linux-vserver.org/short+presentation
http://www.gentoo.org/doc/en/vserver-howto.xml

UML (usermode linux) might be another possibility, and there's quite a bit 
along the lines of forensics support in the community as quite a few people 
use it for honeypots.  In taking this approach you could monitor the 
activities of the binary _very_ closely.

> --
> How do I know the past isn't fiction designed to account for the
> discrepancy between my immediate physical sensations and my state of mind?
Hehe, nice!

HTH,

Robert Larson
-- 
gentoo-security@gentoo.org mailing list



  parent reply	other threads:[~2006-01-18 16:20 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-01-18 14:58 [gentoo-security] Running untrusted software Douglas Breault Jr
2006-01-18 15:14 ` Oliver Schad
2006-01-18 15:29   ` Douglas Breault Jr
2006-01-18 16:22     ` Oliver Schad
2006-01-18 17:37       ` Douglas Breault Jr
2006-01-18 16:28     ` Brandon Edens
2006-01-21 20:48   ` Panagiotis Atmatzidis
2006-01-18 16:14 ` Robert Larson [this message]
2006-01-18 16:22 ` Robert Larson
  -- strict thread matches above, loose matches on Subject: below --
2006-01-18 15:24 Johnson, Maurice E CTR NSWCDL-K74
2006-01-18 15:36 ` Oliver Schad

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200601181014.48851.robert@sixthings.com \
    --to=robert@sixthings.com \
    --cc=gentoo-security@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox