[tor-bugs] #16659 [- Select a component]: TCP Initial Sequence Numbers Leak Host Clock
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jul 24 17:56:06 UTC 2015
#16659: TCP Initial Sequence Numbers Leak Host Clock
----------------------------------+---------------------
Reporter: source | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: - Select a component | Version:
Keywords: | Actual Points:
Parent ID: | Points:
----------------------------------+---------------------
TCP Sequence Numbers seem to be one more way to leak the host clock on
GNU/Linux systems. Its the last major vector in the literature thats not
addressed yet.[1] The kernel embeds the system time in microseconds in TCP
connections. Some opinions say the TCP ISNs are salted hashes and can't be
abused but my impression from Steve Murdoch's papers are that its feasible
and already carried out in his tests. [2][3]
There is no sysctl option to disable it and it must be patched upstream
[4][5]
Nick has done exceptional work to get OpenSSL upstream to throw out
mandatory timestamping in the protocol. TAILS and Whonix disable TCP
Timestamps in the kernel sysctl. TCP Timestamps are a different vector
from TCP ISNs discussed here - it would be great if upstream kernel
disables this as well so all distros have it.
[1]https://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf
[2]http://caia.swin.edu.au/talks/CAIA-TALK-080728A.pdf
[3]http://www.cl.cam.ac.uk/~sjm217/papers/ih05coverttcp.pdf
[4]https://stackoverflow.com/a/12232126
[5]http://lxr.free-electrons.com/source/net/core/secure_seq.c?v=3.16
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16659>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list