Auto-Chroot

[bool101]

One of the options in gatekeeper is to chroot a target binary. To do this a chroot environment must first be build. This typically contains things like the /dev and /proc environments along with some utilities from /bin /lib etc. We need a script to automatically generate as much of this as possible. Probably already exists somewhere?

[zachriggle]

If the chroot is done between __libc_start_main and main, so that we don't have to worry about all this.

[zachriggle]

This can be done either with LD_PRELOAD or a custom libc.so.6 in LD_LIBRARY_PATH.

[bool101]

Why not both?

[zachriggle]

We can't emulate anything from /dev or /proc inside of a chroot without root, even with CLONE_NEWUSER. The best we could do is to copy the required libs (e.g. from ldd binary) into the chroot.

[bool101]

Correct. Your idea here https://github.com/samuraictf/tracker/issues/55#issuecomment-86306576 is a good one. We should probably open /dev/urandom on a static fd as well. Also, we can build a /bin environment with a shell that feeds back incorrect keys.

[zachriggle]

we can build a /bin environment with a shell that feeds back incorrect keys

Easier to just stick a fake (or valid, but out-of-date) flag in the "correct" location.

[bool101]

This is pretty easy with a bash script. Example in readme.md that will generated the chroot for /bin/bash and /bin/ls. If we have the disk space we should consider mirroring the whole box in the chroot (including old flags) to help delay detection of this technique.

[zachriggle]

Creating a duplicate of the filesystem -- as best we can -- will be hard for permissions reasons (we can't make our fake /bin owned by root) and for mount-related reasons (no /dev/, /proc, /sys). While we can spend time building a facade of "it's the real thing!" it won't hold up to much inspection. I'd vote just to have a busybox environment and mirror a few things -- like the layout of the user folders and locations of the flags.