Gentoo Archives: gentoo-security

From: Robert Larson <robert@×××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Running untrusted software
Date: Wed, 18 Jan 2006 16:20:54
In Reply to: [gentoo-security] Running untrusted software by Douglas Breault Jr
On Wednesday 18 January 2006 08:58 am, Douglas Breault Jr wrote:
> Hello,
> I am being forced to run software on my computer that I do not > inherently trust. It is supposed to collect a few pieces of information, > mainly my mac addresses and use the network. It is a one-time use CSA > (client security agent). It uses a csh script to unpack a "proprietary > binary" that we cannot see the source. There is no assurance it doesn't > collect other information or change anything on my computer.
If I were in your shoes I would begin a forensic analysis. You may use the commands strings and objdump against a binary executable, but if they are serious, these may allude you. As well, if you can run the program freely or in a sandbox of some sort then you could use tools such as lsof, ltrace, strace, and tcpdump.
> I was curious as to what is the best way to handle this and situations > like these. In this instance, I was assuming downloading, and running on > a LiveCD would seem like the best policy. What if it uses methods to > discover that and I need to run it on my real installation? Is a chroot > jail the next best thing? As far as I know, to make a chroot jail I > merely copy programs and libraries inside a folder with the proper / > hierarchy and chroot into it. Is it more complex than this and are there > any guides?
Perhaps a virtual server may be favorable... A possible solution might be linux vserver. It's a little bit of an advanced chroot. This would respond with the proper MAC, and there would be some control on what it actually sees. Here is info on vservers: UML (usermode linux) might be another possibility, and there's quite a bit along the lines of forensics support in the community as quite a few people use it for honeypots. In taking this approach you could monitor the activities of the binary _very_ closely.
> -- > How do I know the past isn't fiction designed to account for the > discrepancy between my immediate physical sensations and my state of mind?
Hehe, nice! HTH, Robert Larson -- gentoo-security@g.o mailing list