Gradew

On a dare, I decided to write something that would help prevent the tampering of ELF files, while also offering licensing capability.
Let’s be clear on this: just like any binary protection mechanism, this is by no means 100% safe. There’s always the possibility that someone with enough knowledge in ASM will easily crack a protected ELF.
This is just a simple way of protecting your work against most users/clients, those who do not use GDB on a daily basis

Here’s how it works:

* Checksumming: GShield, when compiled with your executable (you only need a simple “#include”), will reserve enough space in your ELF file to embed a salted SHA-1 checksum. If you wish to throw in some asymmetric cryptography, you can generate an RSA key pair. In this case, you (or the publisher) keeps the private key, and you give the public key along with the ELF file. The checksum will then also include a fingerprint of the public key file to make sure is isn’t tampered with either.

* Licensing: You need to generate an RSA key pair and generate a “license.dat” file. You publish your ELF, the public key and the license file, and GShield will allow your program to check its own integrity, as well as decrypt the license file for you to use.

See the idea ? It’s still a work-in-progress, but here’s a capture to keep you waiting; I’ll publish the tool once I’m confident I’ve tested it enough.

gradew@server:~$ ./genpair.sh 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
....++++++
e is 65537 (0x10001)
writing RSA key

gradew@server:~$ ./comp.sh
gradew@server:~$ ./test
**** Integrity verification failed **** Exiting...

gradew@server:~$ ./gshield.sh test "Gradew/Premium/Forever"
GShield signature: abd39a2e63afdb3cc56b4c36e794f26db2906e50
RSA key size: 1024 bits

gradew@server:~$ mkdir tmp
gradew@server:~$ cp test public.key license.dat tmp/
gradew@server:~$ cd tmp
gradew@server:~/tmp$ ls -l
total 1184
-rw-r--r-- 1 julien julien     128 Feb 26 18:43 license.dat
-rw-r--r-- 1 julien julien     272 Feb 26 18:43 public.key
-rwxr-xr-x 1 julien julien 1198476 Feb 26 18:43 test

gradew@server:~/tmp$ ./test
+++ Integrity verification passed!
+++ Licensing verification passed!
License data: Gradew/Premium/Forever

gradew@server:~/tmp$ cd ..
gradew@server:~$ ./genpair.sh 1024
Generating RSA private key, 1024 bit long modulus
........++++++
.++++++
e is 65537 (0x10001)
writing RSA key

gradew@server:~$ ./test
**** Integrity verification failed **** Exiting... 

I’ve decided to post my debian-based live CD that I used to recover data from a friend’s computer; the file allocation table got corrupted somehow, and I had to use forensics tools to recover as much data as possible.
You may find this useful, as I’ve packaged a couple of tools that come in handy when running off a Live CD:

• bzip2, p7zip-full, zip/unzip, par2
• vim, hexedit
• foremost
• one of my tools, GCertManager (installed in /opt)
• recover, lde, ntfsprogs

There’s nothing really fancy here; I only used the “live-build” tool and tweaked the configuration files a bit. Ah, and I changed the default GRUB splash screen

If you have any suggestions regarding the packaged tools, feel free to let me know!

Download the gzipped images below (about 177MB):
Version 1.2 – USB version (SHA1: 1da6c7c3ddb3e1463ba8f6441d9c698118e764f9)
Version 1.2 – CDROM version (SHA1: 30735d1d3fb33c979d0ef897fd7ab1134488c19c)

GCertManager is yet another tool I wrote for the admins out there who need to create self-signed CAs, request, sign and revoke certificates.
I’ve made it a GPL release; please read the file named “COPYING”, contained in the gzipped tarball.

Basically, it is an interactive program written in Perl that pretty much acts as a wrapper for the “openssl” command line tool. GCertManager is a text-mode GUI that will take you through all the steps of certificate management.

 

Before you start using it, two things:
- you must edit/remove the last three lines of the included openssl.conf; these lines are where you configure alternate subdomains. I’ve set these to “*.mycompany.com” just to show how it works
- you may want to change the default values for the variables which are defined at the beginning of the Perl script, manage.pl. It’s not mandatory, but it will save you the trouble of re-inputting the certification data every time.

Download link: GCertManager v0.1

Here’s a cheat sheet on how to create/sign/revoke/verify certificates with the openssl command line tool:

http://gradew.net/?page_id=281&lang=en

If you’re trying to use a GFS2-XEN combo on a bridged network, you may find this post useful.

(continue reading…)

… il n’était qu’en hibernation, le bougre.
Un petit bookmark sur ce site, ladies and gentlemen! Astuces système (orienté Unix), développement Java/Android… Y’en a pour tous les goûts!

-> C’est par là

I’ve rebuilt the syslog server tool I created two years ago. That first version was just not cut out for the job.
Here’s a far more stable and efficient version. New features will come later, such as searching and filtering…

Download

Here’s a rather brutal tip that can come in handy when you administer remote servers: should you discover a process that’s gone to a D+ state – Uninterruptible Sleep – because of a blocking I/O call, how would you go about instructing the server to reboot without having to wait for all processes to terminate, since we all know that’s never gonna happen ? Even a kill -9 won’t terminate the bugger, so here’s how to bash the server’s brains for good:

echo 1 > /proc/sys/kernel/sysrq

echo b > /proc/sysrq-trigger

Needless to say you have to think twice before applying this rude trick, since it’s pretty much like yanking out the power cable (without the stress on the electronic parts). You may lose data by doing this, so make sure you’ve shut down as many daemons as possible, especially those which access block devices or sockets and files.

Need incremental backups? tar is just what you need in most cases.

Full backup of /etc: tar –create –file=full.tar –listed-incremental=snapshot.dat /etc
Incremental backup: tar –create –file=incr-01.tar –listed-incremental=snapshot.dat /etc

Here’s how it works: the option “–listed-incremental” will kindly ask tar to create a snapshot file containing all the modifications made to the files since the last backup. If the snapshot file does not exist, tar creates it and performs a full backup. Otherwise, tar will perform an incremental backup and update the snapshot file.

Crypting/decrypting a file can be done easily with OpenSSL.

First, you need to generate an RSA key pair; the public key will be used for encryption and the private one will be used to decrypt.

- Generate the keypair (2048 will be the size used in this example):
openssl genrsa -out private.key 2048
openssl rsa -pubout -in private.key -out public.key

- Encrypt the file (test.txt):
openssl rsautl -encrypt -inkey public.key -pubin -in test.txt -out test.encrypted

- Decrypt the file:
openssl rsautl -decrypt -inkey private.key -in test.encrypted -out test.decrypted

Notes:

• the size of the encrypted file will grow by a few bytes; an RSA buffer has a size of (S/8), where S is the bit size of the key. The size of an encrypted file will therefore be aligned on buffers of (S/8) bytes (e.g. 256 bytes for a 2048-bit key)
• given the pseudorandom nature of encrypted contents, an encrypted file cannot be compressed. If you wish to compress the file, do it before you encrypt it.