[tor-bugs] #18020 [- Select a component]: RFE: Introduce privsep to secure OS and hidden service keys

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jan 8 11:59:29 UTC 2016 

#18020: RFE: Introduce privsep to secure OS and hidden service keys
--------------------------------------+---------------------
     Reporter:  jirib                 |      Owner:
         Type:  enhancement           |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:  privsep
Actual Points:                        |  Parent ID:
       Points:                        |    Sponsor:
--------------------------------------+---------------------
 I'm not sure if anything has been implemented to prevent running tor
 process to read hidden service private key after (not during) startup or
 to browse OS filesystems.

 For example after heartbleed issue OpenBSD has implemented couple of
 another protection layers to restrict a running daemon using private keys
 to be read them after startup.

 This is commit message from OpenBSD's relayd (load-balancer) so you can
 get an idea what is the reason:

 ''Introduce privsep for private keys:

 - Move RSA private keys to a new separate process instead of copying
 them to the relays.  A custom RSA engine is used by the SSL/TLS code
 of the relay processes to send RSA private key encryption/decryption
 (also used for sign/verify) requests to the new "ca" processes instead
 of operating on the private key directly.

 - Each relay process gets its own related ca process.  Setting
 "prefork 5" in the config file will spawn 10 processes (5 relay, 5
 ca).  This diff also reduces the default number of relay processes
 from 5 to 3 which should be suitable in most installations without a
 very heavy load.

 - Don't keep text versions of the keys in memory, parse them once and
 keep the binary representation.  This might still be the case in
 OpenSSL's internals but will be fixed in the library.

 This diff doesn't prevent something like "heartbleed" but adds an
 additional mitigation to prevent leakage of the private keys from the
 processes doing SSL/TLS.''

 See marc.info/?l=openbsd-cvs&m=139782935008235&w=2

 Thus it would be nice if tor would privsep so a new tor process could not
 access the key directly.

 Privsep would also help people in the future to "sandbox" logical
 functionality of tor (eg. OpenBSD's pledge, seccomp etc...), so it would
 not be possible for example to browse whole OS filesystem etc. in the
 future.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18020>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list