0

How can I check in my application that the system is running in normal mode, not booted with a bootable media, like CD-ROM or USB. What files, services, or any other thing need to be overlooked?

This is really needed, as I need to achieve some level of security along with other measures and techniques that I use to secure my application. Any ideas?

P.S. I use Ubuntu 12.4

Bart
  • 19,692
  • 7
  • 68
  • 77
securecurve
  • 5,589
  • 5
  • 45
  • 80

3 Answers3

0

This cannot be done from an application context.

The sanest way to build such a system is to have an encrypted harddisk that needs to be unlocked by authorized personnel -- this way people booting from removable media cannot access the application or its data.

Simon Richter
  • 28,572
  • 1
  • 42
  • 64
  • Thanks for your answer. I have already done that, but the point is, the system is located on customer's side, and when the system runs or reboots it should start automatically with no human intervention, which is done by my application that mounts the encrypted hard drive, sadly, if booted from a bootable media, he can run my app. and get the encrypted drive mounted... – securecurve Sep 18 '12 at 07:10
  • It is impossible to secure a system where an untrusted party has physical access. – Simon Richter Sep 18 '12 at 07:34
  • I agree, but at least try to make things more tedious and harder to break, and this doesn't mean to leave my app. without security measures, even if they are not so immune .. – securecurve Sep 18 '12 at 07:49
  • @securecurve You could try to establish a network connection and take the hardware details in order to get the "mount password" that would be more secure, you just need to make sure you start your application after the network is up and running. – Oliver Sep 18 '12 at 07:57
  • Appreciated Oliver. I thought about that also, and will do it in the future as long as we deploy our licencing server. What we are trying to do now is to start with local measures side by side with the remote ones when it comes in the future :)) – securecurve Sep 18 '12 at 08:07
  • this link is of some relevance: [How to know where I am booting from](http://stackoverflow.com/questions/10536261/how-to-know-where-i-am-booting-from) – securecurve Sep 18 '12 at 08:10
0

You can check the kernel command line with cat /proc/cmdline there you can see the root drive used to start the kernel.

while
  • 3,602
  • 4
  • 33
  • 42
  • Thanks while, seems to be a very nice idea. I have one more question regarding your answer, will the root=UUID be considered a fixed value that never changes under any circumstances(including root password change), as I'll take it as a distinguishing factor...also from what I understand, it gets generated by grub or lilo, but can any one else edit it or regenerate when using a bootable media or by any other mean? – securecurve Sep 18 '12 at 07:45
  • 1
    If it is specified as an uuid it is unique for your partition and will not change as long as you dont swap drives or partition table. It might be specified as just `/dev/sdX#` on some systems, in which case it is not specific and will change with the bootorder in your BIOS. – while Sep 18 '12 at 07:55
  • It's very easy to fake that if you're being devious though. – Flexo Sep 19 '12 at 12:16
0

Just to wrap it up, if you want to know if your system boots up normally through the regular booting process from grub or lilo, you can check the /proc/cmdline, where it tells you where your system booted up, and what is boot sector unique id for that boot partition, example: BOOT_IMAGE=/boot/vmlinuz-*****-generic.

Not only this file can tell you about the UUID of the different partitions of your system, there are other ways that can help you to do the same:

1- ls -l /dev/disk/by-uuid/

lrwxrwxrwx 1 root root 9 Oct 13 14:12 3894c432-c0ab-4610-b1de-b2121e54b4e3 -> ../../md1

lrwxrwxrwx 1 root root 10 Oct 13 14:12 87431be0-6af5-459e-9ddb-91028fd637cb ->./../sdd1

lrwxrwxrwx 1 root root 11 Oct 13 14:12 b781ce12-657f-4831-8ed5-e3c5b7c04cf7 ->../..md125

lrwxrwxrwx 1 root root 9 Oct 13 14:12 c87d9576-55a6-4c3e-a1fb-04e15c72d94e -> ../../md2

2- blkid

/dev/sda1: UUID="b781ce12-657f-4831-8ed5-e3c5b7c04cf7" SEC_TYPE="ext2" TYPE="ext3"

/dev/sdb1: UUID="bb10b5c9-acb6-e72c-768b-29c85cd8b45c" TYPE="linux_raid_member"

/dev/sdd1: LABEL="backups" UUID="87431be0-6af5-459e-9ddb-91028fd637cb" SEC_TYPE="ext2" TYPE="ext3"

/dev/md125: UUID="b781ce12-657f-4831-8ed5-e3c5b7c04cf7" TYPE="ext3"

/dev/md1: UUID="3894c432-c0ab-4610-b1de-b2121e54b4e3" TYPE="swap"

/dev/md2: UUID="c87d9576-55a6-4c3e-a1fb-04e15c72d94e" TYPE="ext3"

May be there other tools that can do the same job, but I think the above are sufficient to solve a problem such as mine.

P.S. Thanks for all of those who contributed in this thread :))

securecurve
  • 5,589
  • 5
  • 45
  • 80
  • Useful links: [How can you extract Hardware ID using Python?](http://stackoverflow.com/questions/227222/how-can-you-extract-hardware-id-using-python) [Get hard disk serial number using Python on Linux](http://stackoverflow.com/questions/4193514/get-hard-disk-serial-number-using-python-on-linux) [Get a unique computer ID in python on windows and linux](http://stackoverflow.com/questions/2461141/get-a-unique-computer-id-in-python-on-windows-and-linux) [Wikipedia](http://en.wikipedia.org/wiki/Procfs) [Discover the possibilities of the /proc directory](http://archive09.linux.com/feature/126718) – securecurve Sep 20 '12 at 19:53