Re: [Tails-dev] Reducing attack surface of kernel and tighte…

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
New-Topics: [Tails-dev] minimalist/anonymity-preserving DHCP clients [was: Re: Reducing attack surface of kernel and tightening firewall/sysctls]
Subject: Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls
On 12/4/14, Oliver-Tobias Ripka <otr@???> wrote:
> Hi,
>
> I retried the test but deleted the lease files from the directory you
> mentioned before reconnecting. I now see a complete DHCP DORA
> (Discovery, Offer, Request, Ack) on the wire. So nothing gets blocked. I
> would also expect that just doing a renewal (request, ack) should be
> blocked as the Ack is a response to the request.


That sounds good all around.

>
> Doing some research I found that one possible explaination is that the
> dhclient uses raw sockets which get the packet even if netfiler rules
> are in place [1], [2].


Yes. dhclient uses raw sockets to get around the rp_filter in the
kernel, for one.

>
> This seems to be true: lsof -f | grep dhclient:
>
> dhclient  7946 root    5u     pack 34603 0t0 ALL type=SOCK_PACKET
> dhclient  7946 root    6u     IPv4 34605 0t0 UDP *:bootpc
> dhclient  7946 root   20u     IPv4 34571 0t0 UDP *:45935
> dhclient  7946 root   21u     IPv6 34577 0t0 UDP *:44461

>
> One would need to dig deeper into the dhclient code in order to check if
> this RAW socket is really necessary and if there are e.g. compile time
> options that would allow to just use UDP sockets (note also that
> dhclient does both it opens udp:68 and a raw socket) that would be
> filterable by the firewall.


I'm currently working with a friend on a privilege separated dhcp
client that does not need raw sockets. It is in the early stages but
it is able to do the network lease without being root and without
having a raw socket. It is surprising that absolutely no one has done
this in the past. I think everyone just looked at the ISC DCHP code
and cargo culted from that point forward.

>
> In general it might be better for security to have a derooted DHCP
> client that does not need CAP_NET_RAW and also has less attack surface
> then dhclient (C code + shell scripts).


I completely agree. The DHCP client in Tails is a major attack vector.
I think that we could patch the ISC daemon, for example, to do some
tricks - if we didn't want an outright replacement. If anyone is
interested in this and would actually use some patches. I'm wary of
starting such a process if it will not be used. I'd rather focus on
writing a totally different dhcp client from scratch. My experience
with writing tlsdate really influences me on this with regard to
Tails.

> Maybe use a small replacement
> client that does only support bare minimum needed to get an IP4/6 and
> not the whole spec (instead of trying to fix dhclient)? Anyways, some
> efforts for dhclient are made here [3].


I think a simple DHCP client is quite straight forward - integration
with Network-Manager is probably more difficult than a simple DHCP
network client.

All the best,
Jacob