Re: [Tails-dev] Ethtool & sysctl.conf hardening per Cryptost…

Delete this message

Reply to this message
Autor: Daniel Kahn Gillmor
Data:  
A: Dr. Killswitch\, D.V.M., intrigeri
CC: pj, tails-dev
Assumpte: Re: [Tails-dev] Ethtool & sysctl.conf hardening per Cryptostorm
Hi! thanks for reporting this. I'm afraid i find this report rather
breathlessly scary-sounding but short on concrete details that i can
understand. It's possible i'm just ignorant. Please enlighten me.
Specific requests for clarification follow.

On Tue 2015-07-07 11:15:15 -0400, Dr. Killswitch, D.V.M. wrote:

> Briefly, a long time ago CPUs were much less capable and it made sense to
> offload portions of the TCP/IP stack to network cards. These offloads have
> been correlated with Duqu Bet's injection phase,


If your goal is to disable TCP offload engines[0] because of concerns
about their vulnerability to firmware modification, please just say so
directly.

[0] https://en.wikipedia.org/wiki/TCP_offload_engine

Is this attempting to address anything other than a malicious TOE?

Your proposed patches modify all sorts of settings, all over the
networking layer, many of which do not appear to be related to TOE.

Maybe you could separate those out so we can discuss them individually?

> as I recall it had to do with the ability to sneak a 302 redirect into
> a TCP stream.


Presumably this is done directly in the offload engine's firmware, not
done remotely -- a remote attack could just modify the TCP stream
itself. The choice of injection seems arbitrary. your report is
confusing because it mixes things at the application layer (302 redirect
is an HTTP-ism) with things at the transport layer (TCP).

> Once the ethtool parms and sysctl are put into play, it filters out a
> great deal of trouble.


concretely, please state what trouble is being addressed here.

If the trouble is specifically "one possible channel of traffic
injection attack for potentially malicious NIC firmware", then it would
be clearer to leave it at that and provide a narrowly-targeted changeset
that explicitly disables TOE.

OTOH, given that the actual NIC hardware should see nothing but streams
to and from the Tor guard node, it's hard to see how a TCP-layer
injection of anything (much less a 302 redirect) is a risk for users of
Tails.

> There are some before/after pcaps, I have not inspected them
> personally.


Can you provide pointers?

> There is another complication concurrent with the ability to do 302
> redirects - there are apparently a lot of odd glyph sets and weird css
> flying around - intrusion payloads being injected mid-stream. The front
> page for the Agora dark net market was found to vary greatly depending on
> how one approached it, then the troubles spread to most of the other
> markets.


again, if these payloads (of whatever form) are being injected by a
malicious TCP offload engine, i'm not sure that makes any sense as an
attack on a system whose only external physical network traffic is to
its chosen Tor guard node. can you explain?

    --dkg