About the security implementations in Tor

Tor is a very interesting project and is unique of its kind. Tor is not perfect but Tor is designed to prevent many of the known and unknown vulnerabilities. This article will describe some of the security implementations in Tor and how they try to mitigate some of the known attacks.

This article will only cover a small portion of everything. There is much to say about hidden services and how researcher have been attacking Tor-network in the past.


Tor's threat model

Listed below are some of the threats against Tor, or ways to attack Tor and the network in order to de-anonymize clients. All of these things are very important to protect against. Together they make the world biggest privacy and censorship circumvent network used by millions worldwide access the free Internet.

Global data surveillance

Tor make use of three hops. This connection is called a circuit and is kinda randomly selected. The reason behind three hops is because it does not create too much latency. The hops are used to make it hard to analyze where the traffic is coming from and where it exits the Tor-network. By using more hops you are not more protected. An attacker just needs to control the guard and exit relay to be able to have a quite precise chance of knowing a client's IP.

Example of a Tor-circuit using four, instead of three (standard) hops. An attacker only needs to control the first and last relay, not the ones in between.

This is an example of a correlation attack. They can be deployed within the Tor-network by setting up relays in hope that a client will choose both your exit and guard relay.

Because the exit relay is the one talking to both the client and server, the exit relay can be exploited in order to de-anonymize the client. The exit relay can perform several attacks such as sniffing after plaintext that may contain personally identifiable information and inject data into the traffic. The exit relay have a big role in the network and operators are encouraged to run an exit relay

Intrusion and real time de-anonymization

Tor has several security mitigation against vulnerability exploitation. This is very important because exploitation of the Tor-process will give an attacker access to sensitive data which will be able to use in correlation attacks such as described above.

Targeted attacks against specific users

It's could possible to de-anonymize specific Tor-users with different browser related exploits. This can be done by using browser tracking methods and binary exploitation. Tor-clients are often using the Tor Browser Bundle which is a custom and identical build of Mozilla Firefox ESR. Because of this, an attacker can find an exploit to the Tor Browser Bundle to be able to exploit a big portion of the web browsing clients on the Tor-network.

Sybil attacks

Because Tor is much decentralized, Sybil attacks may be a way to gain control in the network. By deploying many relays an attacker are increasing the chances of a client using the attackers evil relays.


Tor-options

Described below are some of the more important security implementations in Tor. All of these are options that can be changed. Most of them are enabled by default. In fact, Tor works very well with the default options.

DisableAllSwap

The DisableAllSwap option in Tor specifies if the Tor-precces is allowed to write data in the swap area. Swap is used by many different operating systems and is a portion on the harddrive. This file contains violate data that did not fit into the RAM. If you have 4Gb in RAM and manages to fill all of this, processes may start to write temporary data to the swap space instead.

As stated earlier, swap is stored on the harddrive. This means that you can read the harddrive at any point to extract out information from the swap area. Often can this data be valuable and include information such as passwords, private keys and other sensitive data.

By not allowing Tor to write any data in the swap area, this may protect if malware reads the swap space to be able to extract sensitive information in order to deanonymize Tor-users. It may also help post-mortem where the harddrive gets stolen or confiscated by the Police where the forensics extract information that may be used to deanonymize Tor-users in different ways.

AvoidDiskWrites

The AvoidDiskWrites options simply instructs the Tor process to never write anything to disk. This is of course desirable in many situations, mostly because Tor never saves any sensitive data.

MyFamily

Tor tries to solve Sybil attacks in a few ways. The first thing is that Tor selects three Guard nodes to be used and stick with them for a long time (several weeks). This minimizes the risk of an attacker having control over both the Guard and exit node (the exit and middle relay changes often).

The MyFamily option is a way of preventing Sybil attacks. A relay operator can publicly list all the relays that the operator controls. When a client builds a circuit, no effective family relationships are allowed. An effective family is two or more relays that both have stated that they are within the same family.

If an attacker manages to hack the relay operators computer and steal the ssh passwords to both relays, the attacker will not be able to control 2 of 3 relays in a circuit.

EnforceDistinctSubnets

The EnforceDistinctSubnets option is also used to try preventing Sybil attacks. This option does not let 2 or more servers in a circuit to be within the same /16 range. That is 65536 different IP-addresses!

Sandbox

Tor can make use of a syscall sandbox - the seccomp2 sandbox. This mechanism whitelists system calls that are allowed to be made by the Tor process.

By whitelisting only the most necessary system calls, you may be protected if a vulnerability gets exploited because this will prevent the hacker to freely make use of system operations that may compromise the whole system.

DisableDebuggerAttachment

This option will try to prevent basic debugging techniques for the Tor-process. By debugging processes, an attacker will gain much information about the process and easier be able to exploit vulnerabilities. An attacker can also alter the flow of the process in different ways.

By disallowing some debugger attachments the Tor process may be protected against local malware attacks trying to extract information about the running Tor instance in order to exploit vulnerabilities or deanonymize users.

ServerDNSRandomizeCase

The ServerDNSRandomizeCase tries to detect basic DNS-poison attacks. This is made with the so called 0x20 hack. With this method the exit relay tries to randomize the letter case in domain look ups. If example.com is cached to an IP of 1.3.3.7, the exit relay will do a name lookup for eXaMplE.coM which may not be altered by the attacker and therefore pointing to the correct IP.

An attacker can however generate all the possible cache entries and point them to an evil IP so this is not a perfect solution, but the method is not supposed to protect against all DNS-cache poisoning attacks.

EntryNodes and ExitNodes

A Tor-client can choose which relays that should be allowed within a circuit. This can be set either by nickname, fingerprint or geographic location. The latter is the most important because a country may have laws that forces relays to save in-and outgoing IP-traffic. With this information it can be possible to de-anonymize Tor-users.


Sources:

  1. Security and anonymity vulnerabilities in Tor

  2. Dr Gareth Owen: TOR - Attacks and Countermeasures

  3. https://www.torproject.org/docs/tor-manual.html.en

If you would like me to write a part 2 you can tell me via Twitter.