[tor-talk] Hidden service security w. Apache/Win32

Ondrej Mikle ondrej.mikle at gmail.com
Mon Feb 20 20:57:39 UTC 2012 

On 02/20/2012 09:07 PM, Ralf-Philipp Weinmann wrote:
> 
> On Feb 20, 2012, at 8:57 PM, Ondrej Mikle wrote:
> 
>> Many tricks I've seen in defeating ASLR and other anti-ROP mitigations required
>> some side-channel knowledge. Which is where the policy can do good job at
>> stopping the attacker to gain such side-channel information.
> 
> Yes, you'll need to bake yourself an info leak to deal with grsec.
> 
>> Since with gentoo you compile everything with your own settings of
>> compiler/linker and whatnot, that alone makes it hard for attacker to search for
>> "gadgets" (pieces of code that can be used for ROP).
> 
> I'm familiar with the technique, and agree that custom compiler/linker settings on the box you're attacking can be a PITA to deal with. Depending on the skills of the adversary, they might buy you a couple of months.

Yeah, I've noticed after sending previous mail when reading your USENIX/27C3
paper in the meantime :-)

>> Is the additional RBAC policy worth it? Depends on your threat model. I've had a
>> server running with grsecurity RBAC enabled for experimentation several years
>> ago. The policies took a few days to write, but that's far from "unfeasible".
> 
> RBAC, SELinux and App Armor (yes, I've added more clunky ways to band-aid buggy code to prevent it from spilling the lifeblood of your box) are useful for some things. I just really doubt they will buy you additional protection in the threat model we're talking about.

Other option is model-checking. But "true" model-checking of Tor is almost
definitely unfeasible. Though RBAC is "kind of" model-checking.

An interesting side note is that with ASLR and custom compile/link flags the
machine acts as a random oracle (against ROP-style attacks). According to
Baker-Gill-Solovay, in an universe relativized with random oracles, NP^A != P^A
(A=random oracle). Thus it's provable that no deterministic polynomial algorithm
can exist for ROP-style attacks.

(I might have overstreched a bit the assumption about such machine being a
random oracle; but you get the point.)

Ondrej

More information about the tor-talk mailing list