Mailing List Archive

Running untrusted software
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hello,

I am being forced to run software on my computer that I do not
inherently trust. It is supposed to collect a few pieces of information,
mainly my mac addresses and use the network. It is a one-time use CSA
(client security agent). It uses a csh script to unpack a "proprietary
binary" that we cannot see the source. There is no assurance it doesn't
collect other information or change anything on my computer.

I was curious as to what is the best way to handle this and situations
like these. In this instance, I was assuming downloading, and running on
a LiveCD would seem like the best policy. What if it uses methods to
discover that and I need to run it on my real installation? Is a chroot
jail the next best thing? As far as I know, to make a chroot jail I
merely copy programs and libraries inside a folder with the proper /
hierarchy and chroot into it. Is it more complex than this and are there
any guides?

Any and all suggestions are welcome.

Thank you,
Douglas Breault Jr.

- --
How do I know the past isn't fiction designed to account for the discrepancy
between my immediate physical sensations and my state of mind?

/~\ The ASCII Douglas Breault Jr. <GenKreton at comcast dot net>
\ / Ribbon Campaign GnuPG public key ID: C4E44A19 (pgp.mit.edu)
X Against HTML Key fingerprint:
/ \ Email! 21C3 F37D A8F5 1955 05F2 9A69 92A0 C177 C4E4 4A19
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDzleMkqDBd8TkShkRA1l4AKC2W54KDDwSN9MXKzodtN+v917BHgCfVsZJ
TPF6ZYn/ynJ5F9HZ45EtuPs=
=yPaH
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
Am Mittwoch, 18. Januar 2006 15:58 schrieb mir Douglas Breault Jr:
> I am being forced to run software on my computer that I do not
> inherently trust. It is supposed to collect a few pieces of
> information, mainly my mac addresses and use the network. It is a
> one-time use CSA (client security agent). It uses a csh script to
> unpack a "proprietary binary" that we cannot see the source. There is
> no assurance it doesn't collect other information or change anything
> on my computer.

If you don't trust this software don't use it in trusted environment
which includes trusted system and trusted network.

> I was curious as to what is the best way to handle this and
> situations like these. In this instance, I was assuming downloading,
> and running on a LiveCD would seem like the best policy.

Is your host in a trusted network?

> What if it
> uses methods to discover that and I need to run it on my real
> installation? Is a chroot jail the next best thing?

From a chroot environment you can easily escape on a standard kernel.
Grsec offers a real chroot jail.

> As far as I know,
> to make a chroot jail I merely copy programs and libraries inside a
> folder with the proper / hierarchy and chroot into it. Is it more
> complex than this and are there any guides?

# esearch jail

Best Regards
Oli

--
gentoo-security@gentoo.org mailing list
RE: Running untrusted software [ In reply to ]
A good host based IDS (file integrity monitoring system) would record any system level changes made. IT should be fairly trivial to start of with a sterile environment prior to running your CSA and inspecting the environment afterwards.

Try Tripwire or AID.


-----Original Message-----
From: Douglas Breault Jr. on behalf of Douglas Breault Jr
Sent: Wed 1/18/2006 8:58 AM
To: gentoo-security@lists.gentoo.org
Cc:
Subject: [gentoo-security] Running untrusted software
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hello,

I am being forced to run software on my computer that I do not
inherently trust. It is supposed to collect a few pieces of information,
mainly my mac addresses and use the network. It is a one-time use CSA
(client security agent). It uses a csh script to unpack a "proprietary
binary" that we cannot see the source. There is no assurance it doesn't
collect other information or change anything on my computer.

I was curious as to what is the best way to handle this and situations
like these. In this instance, I was assuming downloading, and running on
a LiveCD would seem like the best policy. What if it uses methods to
discover that and I need to run it on my real installation? Is a chroot
jail the next best thing? As far as I know, to make a chroot jail I
merely copy programs and libraries inside a folder with the proper /
hierarchy and chroot into it. Is it more complex than this and are there
any guides?

Any and all suggestions are welcome.

Thank you,
Douglas Breault Jr.

- --
How do I know the past isn't fiction designed to account for the discrepancy
between my immediate physical sensations and my state of mind?

/~\ The ASCII Douglas Breault Jr. <GenKreton at comcast dot net>
\ / Ribbon Campaign GnuPG public key ID: C4E44A19 (pgp.mit.edu)
X Against HTML Key fingerprint:
/ \ Email! 21C3 F37D A8F5 1955 05F2 9A69 92A0 C177 C4E4 4A19
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDzleMkqDBd8TkShkRA1l4AKC2W54KDDwSN9MXKzodtN+v917BHgCfVsZJ
TPF6ZYn/ynJ5F9HZ45EtuPs=
=yPaH
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

I need to run this CSA in order to gain access to the network. I don't
trust the network much either, but I am always using OpenVPN, which I
trust completely. Currently I can access the network, and ergo my vpn
without this, but after the 26th that all changes.

I will definitely look into grsec but it seems complicated. Regardless I
require a viable solution and I will take the steps necessary,
regardless of complication.

Is there a way to try and trace what the binary wants to do? I'm aware i
could run strace on it and ethereal to capture what it transmits... But
is there more I can do?

Thanks,
Douglas Breault Jr.



Oliver Schad wrote:
> Am Mittwoch, 18. Januar 2006 15:58 schrieb mir Douglas Breault Jr:
>> I am being forced to run software on my computer that I do not
>> inherently trust. It is supposed to collect a few pieces of
>> information, mainly my mac addresses and use the network. It is a
>> one-time use CSA (client security agent). It uses a csh script to
>> unpack a "proprietary binary" that we cannot see the source. There is
>> no assurance it doesn't collect other information or change anything
>> on my computer.
>
> If you don't trust this software don't use it in trusted environment
> which includes trusted system and trusted network.
>
>> I was curious as to what is the best way to handle this and
>> situations like these. In this instance, I was assuming downloading,
>> and running on a LiveCD would seem like the best policy.
>
> Is your host in a trusted network?
>
>> What if it
>> uses methods to discover that and I need to run it on my real
>> installation? Is a chroot jail the next best thing?
>
>>From a chroot environment you can easily escape on a standard kernel.
> Grsec offers a real chroot jail.
>
>> As far as I know,
>> to make a chroot jail I merely copy programs and libraries inside a
>> folder with the proper / hierarchy and chroot into it. Is it more
>> complex than this and are there any guides?
>
> # esearch jail
>
> Best Regards
> Oli
>


- --
How do I know the past isn't fiction designed to account for the discrepancy
between my immediate physical sensations and my state of mind?

/~\ The ASCII Douglas Breault Jr. <GenKreton at comcast dot net>
\ / Ribbon Campaign GnuPG public key ID: C4E44A19 (pgp.mit.edu)
X Against HTML Key fingerprint:
/ \ Email! 21C3 F37D A8F5 1955 05F2 9A69 92A0 C177 C4E4 4A19
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDzl7okqDBd8TkShkRAyY9AKDfJlalc++hxQO7C2c05UWquNfZxACg1h56
Z3g7bxK1AowT9FL+B2mXq0c=
=rmk5
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
Am Mittwoch, 18. Januar 2006 16:24 schrieb mir Johnson, Maurice E CTR
NSWCDL-K74:
> A good host based IDS (file integrity monitoring system) would
> record any system level changes made.

No such IDS records any changes in *file systems* if the running
software has no access to root privileges. That is a important
difference.

> IT should be fairly trivial to
> start of with a sterile environment prior to running your CSA and
> inspecting the environment afterwards.
>
> Try Tripwire or AID.

This is not a good idea because this IDS cannot monitor all system
activities. The only reliable way to monitor all activities is to run
this software in a sandbox.

Best Regards
Oli
--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
On Wednesday 18 January 2006 08:58 am, Douglas Breault Jr wrote:
> Hello,
Hello!

> I am being forced to run software on my computer that I do not
> inherently trust. It is supposed to collect a few pieces of information,
> mainly my mac addresses and use the network. It is a one-time use CSA
> (client security agent). It uses a csh script to unpack a "proprietary
> binary" that we cannot see the source. There is no assurance it doesn't
> collect other information or change anything on my computer.
If I were in your shoes I would begin a forensic analysis. You may use the
commands strings and objdump against a binary executable, but if they are
serious, these may allude you. As well, if you can run the program freely or
in a sandbox of some sort then you could use tools such as lsof, ltrace,
strace, and tcpdump.

> I was curious as to what is the best way to handle this and situations
> like these. In this instance, I was assuming downloading, and running on
> a LiveCD would seem like the best policy. What if it uses methods to
> discover that and I need to run it on my real installation? Is a chroot
> jail the next best thing? As far as I know, to make a chroot jail I
> merely copy programs and libraries inside a folder with the proper /
> hierarchy and chroot into it. Is it more complex than this and are there
> any guides?
Perhaps a virtual server may be favorable...

A possible solution might be linux vserver. It's a little bit of an advanced
chroot. This would respond with the proper MAC, and there would be some
control on what it actually sees. Here is info on vservers:
http://linux-vserver.org/short+presentation
http://www.gentoo.org/doc/en/vserver-howto.xml

UML (usermode linux) might be another possibility, and there's quite a bit
along the lines of forensics support in the community as quite a few people
use it for honeypots. In taking this approach you could monitor the
activities of the binary _very_ closely.

> --
> How do I know the past isn't fiction designed to account for the
> discrepancy between my immediate physical sensations and my state of mind?
Hehe, nice!

HTH,

Robert Larson
--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
Am Mittwoch, 18. Januar 2006 16:29 schrieb mir Douglas Breault Jr:
> I need to run this CSA in order to gain access to the network. I
> don't trust the network much either, but I am always using OpenVPN,
> which I trust completely. Currently I can access the network, and
> ergo my vpn without this, but after the 26th that all changes.

Take the solution with the Live-CD or doesn't meet this your
requirements?

Best Regards
Oli
--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
On Wednesday 18 January 2006 08:58 am, Douglas Breault Jr wrote:
> I am being forced to run software on my computer that I do not
> inherently trust. It is supposed to collect a few pieces of information,
> mainly my mac addresses and use the network. It is a one-time use CSA
> (client security agent). It uses a csh script to unpack a "proprietary
> binary" that we cannot see the source. There is no assurance it doesn't
> collect other information or change anything on my computer.
I forgot to mention:
* dev-util/fenris
Latest version available: 0.07m-r2
Latest version installed: [ Not Installed ]
Size of downloaded files: 1,058 kB
Homepage: http://razor.bindview.com/tools/fenris/
Description: Fenris is a tracer, GUI debugger, analyzer, partial
decompiler and much more
License: GPL-2

HTH,

Robert Larson
--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jan 18, 2006 at 10:29:47AM -0500, Douglas Breault Jr wrote:

> I need to run this CSA in order to gain access to the network. I don't
> trust the network much either, but I am always using OpenVPN, which I
> trust completely. Currently I can access the network, and ergo my vpn
> without this, but after the 26th that all changes.
>
> I will definitely look into grsec but it seems complicated. Regardless I
> require a viable solution and I will take the steps necessary,
> regardless of complication.

I've used grsec in the past (something like 1-2 years ago) and it wasn't that
complicated. I've also experimented with the hardened project running on a
multi-user server. We ran into issues with software breakage so we backed off.
I'm sure they've gotten lots of those problems fixed by now and might be quite
useful in a hostile environment. You could also explore machine virtualization,
ie Xen/"User Mode Linux". That'd give you the "clean room" environment needed to
explore what your binary might do during operation.

> Is there a way to try and trace what the binary wants to do? I'm aware i
> could run strace on it and ethereal to capture what it transmits... But
> is there more I can do?

Your basic tools for analyzing binaries are strace, lstrace, lsof, netcat,
strings. That binary is hopefully statically compiled so ltrace won't be as
useful. Definitely make sure to run strings on it and see if you can spot any
pertinent comments. You might get some use out of gdb if they left some
debugging symbols when compiling.

Brandon Edens
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDzmym4fsYS1VDj0gRAnXoAKCas91U0nGckitZeLhPUlDdVnVhNACfWxbt
1CqzJdp64x0aDOI/QXjUTVo=
=ahLf
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Oliver Schad wrote:
> Am Mittwoch, 18. Januar 2006 16:29 schrieb mir Douglas Breault Jr:
>> I need to run this CSA in order to gain access to the network. I
>> don't trust the network much either, but I am always using OpenVPN,
>> which I trust completely. Currently I can access the network, and
>> ergo my vpn without this, but after the 26th that all changes.
>
> Take the solution with the Live-CD or doesn't meet this your
> requirements?
>
> Best Regards
> Oli

The live-cd solution will work perfectly _assuming_ the binary makes no
effort to ensure it is running on a real installation. So my primary
concern is gaining access to the network again without any changes to my
system

As a secondary concern, I would like to figure out what the binary is
doing every step of the way and publishing the results for others to be
aware of.

Thanks everyone for your great responses. I definitely have some
research to do in this new and very intriguing area of system management
and security.

Sincerely,
Doug

- --
How do I know the past isn't fiction designed to account for the discrepancy
between my immediate physical sensations and my state of mind?

/~\ The ASCII Douglas Breault Jr. <GenKreton at comcast dot net>
\ / Ribbon Campaign GnuPG public key ID: C4E44A19 (pgp.mit.edu)
X Against HTML Key fingerprint:
/ \ Email! 21C3 F37D A8F5 1955 05F2 9A69 92A0 C177 C4E4 4A19
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDznzykqDBd8TkShkRA49yAJ9P7PTablbNfi1W1WItjawqLfKtoACfbtQa
dahDK97jnuIpnlm3Rg2riBo=
=iZPi
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: Running untrusted software [ In reply to ]
Hello,

On 1/18/06, Oliver Schad <o.schad@web.de> wrote:
>
> Am Mittwoch, 18. Januar 2006 15:58 schrieb mir Douglas Breault Jr:
> > I am being forced to run software on my computer that I do not
> > inherently trust. It is supposed to collect a few pieces of
> > information, mainly my mac addresses and use the network. It is a
> > one-time use CSA (client security agent). It uses a csh script to
> > unpack a "proprietary binary" that we cannot see the source. There is
> > no assurance it doesn't collect other information or change anything
> > on my computer.
>
> If you don't trust this software don't use it in trusted environment
> which includes trusted system and trusted network.
>
> > I was curious as to what is the best way to handle this and
> > situations like these. In this instance, I was assuming downloading,
> > and running on a LiveCD would seem like the best policy.
>
> Is your host in a trusted network?
>
> > What if it
> > uses methods to discover that and I need to run it on my real
> > installation? Is a chroot jail the next best thing?
>
> From a chroot environment you can easily escape on a standard kernel.
> Grsec offers a real chroot jail.



Can you explain further please? How can an intruder bypass a chrooted
enviroment *easilly*?

> As far as I know,
> > to make a chroot jail I merely copy programs and libraries inside a
> > folder with the proper / hierarchy and chroot into it. Is it more
> > complex than this and are there any guides?
>
> # esearch jail
>
> Best Regards
> Oli
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Panagiotis