[tor-dev] Different trust levels using single client instance

Michael Rogers michael at briarproject.org
Mon Oct 31 16:11:14 UTC 2016

On 21/10/16 21:38, bancfc at openmailbox.org wrote:
> Cons:
> *Some unforeseen way malicious VM "X" can link activities of or
> influence traffic of VM "Y"
> **Maybe sending NEWNYM requests in a timed pattern that changes exit IPs
> of VM Y's traffic, revealing they are behind the same client?
> **Maybe eavesdropping on HSes running on VM Y's behalf?
> **Something else we are not aware of?

If each VM has full access to the control port, even something as simple
as "SETCONF DisableNetwork" could be used for traffic confirmation.

ExcludeNodes, ExcludeExitNodes and MapAddress could be used to force
another VM's traffic through certain nodes.

Bandwidth events could be used for traffic analysis of another VM's traffic.

ADDRMAP events look like they might leak information about the hosts
another VM connects to. Likewise DANGEROUS_PORT leaks information about
ports, HS_DESC about HS descriptor lookups.

I'm not sure if covert channels between two VMs (e.g. for exfiltration)
are part of your threat model, but events would be a rich source of
those too.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x9FC527CC.asc
Type: application/pgp-keys
Size: 4660 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20161031/fcb0342b/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20161031/fcb0342b/attachment.sig>

More information about the tor-dev mailing list