Author Topic: Interesting sandbox hypothetical  (Read 4335 times)

0 Members and 1 Guest are viewing this topic.

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Interesting sandbox hypothetical
« on: February 24, 2011, 07:21:23 pm »
Let's say you have a binary that "phones home". The machine on which it resides you have SSH access to, but cannot log in via root [or sudo]. How would you sandbox it so that all outgoing network traffic from the executable gets blocked?
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Interesting sandbox hypothetical
« Reply #1 on: February 24, 2011, 07:35:54 pm »
on windows, I wrote a loader that would start a process suspended and modify some of the calls (send/recv/etc) to go through my code before going out. It would probably work without admin access, and the same type of thing should be possible on Linux. It's function hooking or writing a loader.

I've never done it on Linux, sadly. I mostly do this type of thing from Windows.

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Interesting sandbox hypothetical
« Reply #2 on: February 25, 2011, 11:58:28 pm »
I've never seen a Unix firewall that can block based on process. Although, I'm mostly a pf user myself.
An adorable giant isopod!

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Interesting sandbox hypothetical
« Reply #3 on: February 26, 2011, 11:22:45 am »
I can't say without more details, but is unplugging the Ethernet a possible fix? It'll stop the program from phoning home, at least.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Interesting sandbox hypothetical
« Reply #4 on: February 26, 2011, 12:06:54 pm »
If he has to ssh in, and he doesn't have root, it's likely that he does not have physical access to the box.
And like a fool I believed myself, and thought I was somebody else...

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Interesting sandbox hypothetical
« Reply #5 on: February 26, 2011, 12:53:14 pm »
Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Interesting sandbox hypothetical
« Reply #6 on: February 27, 2011, 10:37:42 am »
Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?
Sure, but it might have a large false positive rate.

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Interesting sandbox hypothetical
« Reply #7 on: February 27, 2011, 04:39:48 pm »
Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?
Sure, but it might have a large false positive rate.


Hahaha.
And like a fool I believed myself, and thought I was somebody else...

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Interesting sandbox hypothetical
« Reply #8 on: February 27, 2011, 04:47:49 pm »
HOLD ON, HOLD ON. WAIT A MINUTE

did someone just get told?