[tor-talk] Continuous Integration for testing application proxy leaks?

Mon Jun 5 08:30:33 UTC 2017

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

grarpamp:
>> Has anyone tried using continuous integration tools like Travis 
>> CI to find proxy leaks in applications? The rough idea I had was 
>> to run all the existing unit/integration tests for the 
>> application, wrapped in something like:
>> 
[snip]
>> 
>> and use grep on the resulting output to find any results that 
>> connect to anything other than the configured proxy. (This 
>> assumes that the application has good test coverage already.)
>> I'm curious if someone has already tried to tackle this, or if 
>> there's a better way.
>> 
>> (H/t to pabouk at https://tor.stackexchange.com/a/118 for the 
>> idea of using strace.)
> 
> Assuming you're not going to read the code to find such instances 
> and test mode is nice but not covering real world usage, caveats, 
> threats and exploits, nor does strace block anything, better to 
> packet filter and log everything default deny. Run all the tests 
> and real world you want inside that.

Just to be clear, the intention here isn't to block proxy leaks, only
to detect them.  I strongly doubt that Travis CI or similar
infrastructure cares about being deanonymized.  Also, "real-world
usage" isn't feasible to automate in CI tests; the main intention is
to identify accidental code that doesn't use the desired proxy, as
soon as it's committed to a project repo or submitted in a pull
request.  Detecting or blocking code that can be exploited to bypass a
proxy is out of scope for my interest.

I suspect that detecting without blocking is actually better than
blocking for this use case, because blocking packets would interfere
with the remainder of the test (and therefore make it difficult to
tell whether any additional leaks were made undetectable by the change
in program behavior caused by the initial leak being blocked).

Hope I'm making sense, and apologies if my initial post was unclear.

Cheers,
- -- 
- -Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the
moment.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZNRbAAAoJELPy0WV4bWVwZr8QAJW9RiYNv99II3PTlUwoX9U/
kQBIX0SaGyHdpmaMM8yUEkwP2y7dnQ0Re+MW1yu/hpwb4twODcJkkbbmtqj0FnlQ
XbLN2yNfG1H2C6DiwCwg3n3dAVkXvoxO5eRT1SHAhW9C1RFdh2luqOSDLVCUHQfa
9EIeyDh1qCyUseLhq3t5uFxQMdZVjgKSfT0Hqa+78nsLWhT3KlDjpUNtbkHIBI0O
1HFPXwLFxoGetnpnbIJlf9dbvQfrYzgr9484qqB2ySmDjKRo/XpmHG/HC21K5sIk
9XqSwr3KrUVSGCdVSqlblLAYRmuZu/9jBb7cx6m2lPcpw5jbEnJFA7LhaH0JktDX
G7b/XyMSnzlqBj98o/3PKLoivYoEB61IjHfvN2CH6HSpBHIdHszUG05LiML6mTG7
+na6zol3EOLJBcGMnG+KEMjAWf3u99dpi0hC3GWw51vawIFh/wkIq4ROAPv+nWme
SH7WmrYS0fp7ywOiDFIW7M/EaZf3gDp47Fs2aVM2HaXcqOOcw9cCujHKMjnf12Od
CVYDINOqMt6HRd4lRzfIya19GaiEN7XxPz+yTUfW8iazxa3bIbtaoqU7cySvmjFk
7kq+tDjHrr+hTpv2YihKptSYMZM1Z+vX0wA24omG1LtSdj0Iyrul36k+Q2dkYYlA
OrAiuqnQUuwUEqHhXIBC
=OffZ
-----END PGP SIGNATURE-----