Re: [Tails-dev] Reducing attack surface of kernel and tighte…

Delete this message

Reply to this message
Author: Oliver-Tobias Ripka
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls

According to Jacob Appelbaum on Thu, Dec 04 2014:

> On 12/4/14, Oliver-Tobias Ripka <otr@???> wrote:
> > According to anonym on Thu, Dec 04 2014:
> >
> >> FWIW I experienced no issues during my tests with *only* ESTABLISHED in
> >> both the INPUT and OUTPUT chains so neither NEW nor RELATED seems
> >> essential for the basic usage I tested. And of course the above
> >> "exploits" didn't work due to the absence of NEW.
> >
> > You're right it work with ESTABLISHED only. This is due to whitelisted
> > rule for the debian-tor user that may send any kind of packet.
> That is what I'd expect, yes. We should also tighten that user down as
> well. What do you think for the first iteration?

For the first iteration it is probably good to implement the changes
suggested by you and tweaked by anonym: that is to narrow the stateful
rules down to ESTABLISHED. At the same time we should be able to change
the debian-tor rule to allow only NEW TCP packets, disallowing all other

For the potential PATH MTU problem I saw Tor using fixed sizes segments
that are quite small (about 500bytes). Thus PATH MTU should not be a
problem besides extreme cases of network misconfiguration.

Actually it might be a good idea to block these messages because if the
network stack reacted to these ICMP messages it might allow a remote
attacker to artificially lower the MTU of the segments sent. This may
potentially make it easier to deanonymize a Tor user, I guess. Not sure
if Tor can protect against this kind of attack as this may happen on
the Kernel layer.

You asked how to test it. Well I currently don't have a real router
which I can configure to provide such a low MTU. But using software
tools it is possible to simulate this: 1. route Tails through a Linux box
with low MTU on the WAN interface. (Linux should send ICMP DF) 2. route
Tails through Linux box with iptables rule dropping large packets and
scapy script sniffing an sending ICMP DF for each large packet.