MCRcortex / nekodetector

Nekoclient infection detector
MIT License
566 stars 40 forks source link

How to run this securely? #37

Open qbolec opened 1 year ago

qbolec commented 1 year ago

So, you ask me to download your app and run it on my computer, and trust you everything will be fine? Isn't that what got me in trouble in the first place? :)

Yes, in theory I could review the source code here, but I am not a Java expert, and it looks like there's already hundreds of lines of "code" and "configs" in this repo, and I have no time to learn how to do that.

What's the safe way to run this scan?

  1. Can I for example run it in "read-only" + "no access to internet" way? If so, how can I use OS help to achieve the two goals?
  2. Is there perhaps some simple set of strings we are simply grepping for, and I could pass to grep/ack or some other existing tool?
williewillus commented 1 year ago

on linux, you can remove network access using unshare(1): unshare -r -n java -jar ...

williewillus commented 1 year ago

you can also do some bind mount trickery to only expose a readonly view of the filesystem then scan that, but I don't know off the top of my head the incantations for that.

Huskydog9988 commented 1 year ago

Unfortunately trust is always necessary at some point in the process. If you feel comfortable in doing so, you can always build the program yourself. Or, if you don't feel comfortable with that, you have as much assurance as I can reasonably offer that the jar on the releases page isn't compromised. The file was automatically built and uploaded by our release pipeline, which unless a nasty commit makes its way in, minimizes the chances that any jar distributed here is malicious.

aelnosu commented 1 year ago

So, you ask me to download your app and run it on my computer, and trust you everything will be fine? Isn't that what got me in trouble in the first place? :)

Yes, in theory I could review the source code here, but I am not a Java expert, and it looks like there's already hundreds of lines of "code" and "configs" in this repo, and I have no time to learn how to do that.

What's the safe way to run this scan?

  1. Can I for example run it in "read-only" + "no access to internet" way? If so, how can I use OS help to achieve the two goals?
  2. Is there perhaps some simple set of strings we are simply grepping for, and I could pass to grep/ack or some other existing tool?

Chat GPT is your friend. You can put a code in there and ask it to detect if something shouldn't be there.

Edit: To clarify I mean the code in this repo.

Huskydog9988 commented 1 year ago

Please do not use chat gpt to check if code is infected, it cannot accurately read code this high of a degree. Also, iirc, the malware just injects bytecode, which chatgpt certainly cannot read. So again, please don't use chat gpt, use the scanner.

aelnosu commented 1 year ago

Please do not use chat gpt to check if code is infected, it cannot accurately read code this high of a degree. Also, iirc, the malware just injects bytecode, which chatgpt certainly cannot read. So again, please don't use chat gpt, use the scanner.

To clarify I mean the code in this repo.

D3SL commented 1 year ago

ChatGPT will confidently give you outrageously wrong answers. It's a joke among my coworkers just how inaccurate it is about anything the asker has subject matter knowledge for.

xTrayambak commented 1 year ago

I've probed the entirity of the codebase and there seems to be nothing that raises red flags.

nbrugger-tgm commented 1 year ago

The most secure way would be to run it as docker and mount the fs root as readonly volume. Something like docker run --rm -v /:/myfs:r eclipse/temurin -jar /myfs/path/to/the/scanner.jar

DevWolf31 commented 1 year ago

I have quite a lot of experience in Java and I can tell you that this project is safe. The information on their computers is not shared or modified in any way and only scan .jar files and some possible malicious files. So use it without any fear or concern.