package-analysis icon indicating copy to clipboard operation
package-analysis copied to clipboard
verified publisher icon ossf

Randomize the homedir of the user to evade sandbox detection.

Open calebbrown opened this issue 3 years ago • 2 comments

Some samples of malware check for a $HOME of /root and skip running if true.

Running at root has its advantages, so perhaps changing the home from /root to /home/${name}, where ${name} is replaced by a name drawn at random from a set of predefined common usernames (e.g. popular first names, admin, deploy, worker, etc)

calebbrown avatar Apr 05 '22 08:04 calebbrown

Could this be done dynamically in the sandbox by doing an adduser/useradd and then su or sudo -l to that user before installing and running the package?

maxfisher-g avatar Oct 14 '22 03:10 maxfisher-g

Issues to consider (from discussion with @calebbrown):

  • If the username is randomised, then the home directory will be randomised, and we want to be able to replace the randomised home directory with a generic token (e.g $USER or %USER%)
  • Names should be hard to guess (i.e. not constant or drawn from a small set) but also not too obviously random
  • podman has a way to supply the user to run as
  • Potentially could run as both unprivileged user as well as root, but this doubles the amount of data collected
  • We should probably do some experiments to determine how many packages actually do check whether they're running as root

Current conclusion is that this issue is not super high priority

maxfisher-g avatar Oct 18 '22 04:10 maxfisher-g