Gentoo Archives: gentoo-security

From: Robert Larson <robert@×××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Running untrusted software
Date: Wed, 18 Jan 2006 16:20:54
In Reply to: [gentoo-security] Running untrusted software by Douglas Breault Jr
1 On Wednesday 18 January 2006 08:58 am, Douglas Breault Jr wrote:
2 > Hello,
3 Hello!
5 > I am being forced to run software on my computer that I do not
6 > inherently trust. It is supposed to collect a few pieces of information,
7 > mainly my mac addresses and use the network. It is a one-time use CSA
8 > (client security agent). It uses a csh script to unpack a "proprietary
9 > binary" that we cannot see the source. There is no assurance it doesn't
10 > collect other information or change anything on my computer.
11 If I were in your shoes I would begin a forensic analysis. You may use the
12 commands strings and objdump against a binary executable, but if they are
13 serious, these may allude you. As well, if you can run the program freely or
14 in a sandbox of some sort then you could use tools such as lsof, ltrace,
15 strace, and tcpdump.
17 > I was curious as to what is the best way to handle this and situations
18 > like these. In this instance, I was assuming downloading, and running on
19 > a LiveCD would seem like the best policy. What if it uses methods to
20 > discover that and I need to run it on my real installation? Is a chroot
21 > jail the next best thing? As far as I know, to make a chroot jail I
22 > merely copy programs and libraries inside a folder with the proper /
23 > hierarchy and chroot into it. Is it more complex than this and are there
24 > any guides?
25 Perhaps a virtual server may be favorable...
27 A possible solution might be linux vserver. It's a little bit of an advanced
28 chroot. This would respond with the proper MAC, and there would be some
29 control on what it actually sees. Here is info on vservers:
33 UML (usermode linux) might be another possibility, and there's quite a bit
34 along the lines of forensics support in the community as quite a few people
35 use it for honeypots. In taking this approach you could monitor the
36 activities of the binary _very_ closely.
38 > --
39 > How do I know the past isn't fiction designed to account for the
40 > discrepancy between my immediate physical sensations and my state of mind?
41 Hehe, nice!
43 HTH,
45 Robert Larson
46 --
47 gentoo-security@g.o mailing list