[tor-talk] Hidden service security w. Apache/Win32

Ralf-Philipp Weinmann ralf at coderpunks.org
Mon Feb 20 20:07:38 UTC 2012 

On Feb 20, 2012, at 8:57 PM, Ondrej Mikle wrote:

> On 02/20/2012 05:06 PM, Ralf-Philipp Weinmann wrote:
>> On 2012-02-19 19:58 CET, Ondrej Mikle wrote:
>> 
>>> Addendum for truly "uberparanoid" installation:
>>> 
>>> [various "best practices"]
>>> 
>>> With the uberparanoid installation, the greatest risk is a return-to-libc-style
>>> attack on Tor where attacker instructs Tor to make circuit to a node controlled
>>> by attacker, thus revealing IP.
>> 
>> So this is the part where you should realize how futile all of that pain of setting up policies is…
> 
> I disagree. Even without RBAC, grsecurity makes ROP-style attacks damn hard.

n.b.: I wasn't commenting on the memory corruption mitigations offered by grsec, those are damn fine. Rather, what I was commenting on was the fact that RBAC is mostly worthless for the threat you are trying to address (disclosing the IP address server running the hidden service) unless you've really screwed up somewhere else.

> Many tricks I've seen in defeating ASLR and other anti-ROP mitigations required
> some side-channel knowledge. Which is where the policy can do good job at
> stopping the attacker to gain such side-channel information.

Yes, you'll need to bake yourself an info leak to deal with grsec.

> Since with gentoo you compile everything with your own settings of
> compiler/linker and whatnot, that alone makes it hard for attacker to search for
> "gadgets" (pieces of code that can be used for ROP).

I'm familiar with the technique, and agree that custom compiler/linker settings on the box you're attacking can be a PITA to deal with. Depending on the skills of the adversary, they might buy you a couple of months.

> 
> Is the additional RBAC policy worth it? Depends on your threat model. I've had a
> server running with grsecurity RBAC enabled for experimentation several years
> ago. The policies took a few days to write, but that's far from "unfeasible".

RBAC, SELinux and App Armor (yes, I've added more clunky ways to band-aid buggy code to prevent it from spilling the lifeblood of your box) are useful for some things. I just really doubt they will buy you additional protection in the threat model we're talking about.

Cheers,
-RPW

More information about the tor-talk mailing list