[tor-relays] relays "in the cloud"
Andy Isaacson
adi at hexapodia.org
Tue Oct 1 23:35:15 UTC 2013
On Tue, Oct 01, 2013 at 04:42:53PM -0400, Jonathan D. Proulx wrote:
> As I understand it there are three risk layers in each Tor node:
>
> 1) The node operator (who has r00t)
> 2) The data center (who has net)
> 3) The legal jurisdiction
>
> I've recently started running a couple of relays on public IaaS
> providers. To my thinking this doesn't present significant security
> issues beyond a hosted physical server,
[snip]
> The one novel thing this may make easier is stealing the hosts private
> keys, which would make traffic analysis easier (but I don't thing
> significantly better) and allow impersonation of the node which would
> not otherwise be possible (well it maybe possible to steal from memory
> on a running system given physical access and sufficient equipment,
> time and expertise but nearly impossible if not actually so).
I'd assume that any private keys present in RAM on an IaaS cloud are
disclosed to the cloud vendor, and thence to the NSA. It's a tiny
matter of software to do this, and the vendors explicitly give
themselves permission to do so in the ToS you agreed to, so why wouldn't
they?
I'd welcome a public (and ideally legally binding) statement from an
IaaS vendor that they do not disclose customer keys. A "transparency
report" disclosing how many law enforcement / intelligence community
(LE/IC) requests were satisfied, and how many keys were disclosed, would
go a long ways towards closing the credibility gap here.
The picture with colo hardware is a little more nuanced. If you rent
hardware from a vendor it probably is managed via IPMI, which is
probably hooked up to a VLAN with other devices on it, which is a rat's
nest of vulnerability:
http://fish2.com/ipmi/how-to-break-stuff.html
https://www.usenix.org/conference/woot13/illuminating-security-issues-surrounding-lights-out-server-management
Even if your server cannot be compromised by an IPMI network attack, an
attacker with physical access (due to a subpoena, NSL, bribery, or
surreptitious insertion) can deploy a commercially available hardware
attack against USB or PCIe to extract key material.
In summary, it seems likely that IaaS is pwned wholesale. Colo hardware
is somewhat more expensive to attack and possibly succeeds in raising
the bar from "software" to "attacker has to roll a truck to pwn me",
which is my current recommendation for threat modeling.
-andy
More information about the tor-relays
mailing list