Tor + SELinux sandbox = leak proof without VM overhead?

[coderman]

On Sat, Aug 21, 2010 at 5:55 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> ...
> I think it's obvious that the best way of using tor is running your
> torrified apps in a VM which can only access the outside world via
> TOR. This provides the highest protection from network leaks and also
> partially thwarts fingerprinting.   But I can only assume that the
> 'cost' (performance, complexity, etc) of using a VM for tor is too
> high for many people— otherwise we would insist that anyone who wants
> anonymity operate that way.

not a silver bullet, but tends to fail safer.

the "costs" include:
- elevated privs for accelerated virtualization / para-virtualization.
Tor by default does not require such.

- additional resource consumption. isolated os, network stacks, and
applications require additional memory and CPU.

- only solve part of the problem; you still need Torbutton and other
application level protections, even if direct proxy-bypass type
disclosures of endpoint or identity are mitigated.

ideally this model would apply across the entire user experience, see qubes:
 http://qubes-os.org/Home.html


> Has anyone looked into using the SELINUX sandbox
> (http://danwalsh.livejournal.com/28545.html) to prevent leaks?   The
> sandbox provides a high degree of application isolation.  It looks
> like it would be pretty much trivial to add an option to the sandbox
> front end program to only allow accesses to the tor socks port from
> the isolated app.

developing and maintaining a robust RSBAC policy is non-trivial. that
said, these are complementary techniques. a strong RSBAC model around
and within virtual machine based isolation provides additional defense
against application errors, vm break-outs, etc.

it doesn't help that a lot of the good SELinux policy development /
management tools are closed source / proprietary.  it's not the only
game in town...


> With this users on a supporting platforms wouldn't have to use
> wireshark to figure out if, say, pidgin, is leaking via DNS. They
> could simply run the app inside the sandbox and be sure of it.

there's RSBAC bypass just like vm break-out; anyone claiming
infallibility is smoking something or selling you lies...


> Does this sound like a practice which should be refined and recommended?

absolutely! you could submit a series of policies for various Tor
modes of operation and solicit feedback / commit to contrib.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/