Re: [Tails-dev] [Secure Desktops] Tails' MAC 'leak preventio…

This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Daniel Kahn Gillmor at ->
Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Old-Topics: Re: [Tails-dev] [Secure Desktops] Tails' MAC 'leak prevention' question
Subject: Re: [Tails-dev] [Secure Desktops] Tails' MAC 'leak prevention' question
Hi,

intrigeri:
> anonym wrote (22 Dec 2015 16:21:50 GMT) :
>> Patrick Schleizer:
>>> Wouldn't it be possible, and simpler, to block all networking with
>>> iptables to prevent early MAC leaks so kernel module blacklisting could
>>> be avoided?

> After spending hours hunting down #9012 today, I must say I'm
> interested in any solution that does not rely on un-blacklisting
> kernel modules :]

>> I'm not sure it would be simpler. The module blocking approach
>> definitely makes some other parts of the implementation simpler and
>> decoupled so the MAC spoofing system more or less can be plugged into
>> the existing Tails without modifying other parts.

> Right. I'd like to keep this property, and I think we can keep it
> while changing the way we block outgoing connections during boot.

> How about this minimal change: 

> a) We remove the modules blacklist logic.
> b) We set up a boot-time firewall that blocks all outgoing connections
>    to non-loopback interfaces.
> c) We keep the udev MAC spoofing hook as-is: when the user hasn't made
>    a decision yet, we don't do anything; if the user has made
>    a decision already, we apply it.
> d) We make all our NM hooks exit early unless the user has made their
>    MAC spoofing decision already, just like they most of them exit
>    early unless we're up'ing a non-loopback interface.
> e) Once the user has made their decision wrt. MAC spoofing (that is,
>    in tails-unblock-network, run by PostLogin, just as it is now):
 

>    1. We record that decision in some place where all legitimate
>       interested parties (at least the MAC spoofing udev hook, and our
>       NM hooks) can check it out.
>    2. We trigger udev, wait for it to settle. The goal here is to have
>       the udev MAC spoofing hook run.
>    3. We replace the boot-time firewall with the production one.
>    4. We start NetworkManager.

Since then, NetworkManager gained the ability to randomize MAC
addresses [1]. If we delegate the bulk of the work to it, then this
becomes:

a) We remove the modules blacklist logic.
b) We set up a boot-time firewall that blocks all outgoing connections
to non-loopback interfaces.
c) Once the user has made their decision wrt. MAC spoofing (that is,
in tails-unblock-network, run by PostLogin, just as it is now): 

   1. We record that decision in some place where all legitimate
      interested parties can check it out.
   2. We configure NM accordingly.
   3. We replace the boot-time firewall with the production one.
   4. We start NetworkManager.


Here again, hotplugged interfaces are not as well protected against
permanent MAC address leaks as the coldplugged ones. But this is
a compromise we are already doing in our current design.

Thoughts?

[1] https://labs.riseup.net/code/issues/11293

Cheers!
--
intrigeri

This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [Tails-dev] [review'n'merge] Remove useless alt in documentationRe: [Tails-dev] Why Tails partition is non-deterministic?->
lists.autistici.org administrated by postmasterLurker (version 2.3)