[prev in list] [next in list] [prev in thread] [next in thread]
List: tor-dev
Subject: Re: [tor-dev] Different trust levels using single client instance
From: Michael Rogers <michael () briarproject ! org>
Date: 2016-10-31 16:11:14
Message-ID: 244350f2-895a-c7cc-bb3c-9a354d1bf2e0 () briarproject ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
[Attachment #6 (multipart/mixed)]
On 21/10/16 21:38, bancfc@openmailbox.org wrote:
> Cons:
> *Some unforeseen way malicious VM "X" can link activities of or
> influence traffic of VM "Y"
> **Maybe sending NEWNYM requests in a timed pattern that changes exit IP=
s
> of VM Y's traffic, revealing they are behind the same client?
> **Maybe eavesdropping on HSes running on VM Y's behalf?
> **Something else we are not aware of?
If each VM has full access to the control port, even something as simple
as "SETCONF DisableNetwork" could be used for traffic confirmation.
ExcludeNodes, ExcludeExitNodes and MapAddress could be used to force
another VM's traffic through certain nodes.
Bandwidth events could be used for traffic analysis of another VM's traff=
ic.
ADDRMAP events look like they might leak information about the hosts
another VM connects to. Likewise DANGEROUS_PORT leaks information about
ports, HS_DESC about HS descriptor lookups.
I'm not sure if covert channels between two VMs (e.g. for exfiltration)
are part of your threat model, but events would be a rich source of
those too.
Cheers,
Michael
["0x9FC527CC.asc" (application/pgp-keys)]
["signature.asc" (application/pgp-signature)]
[Attachment #11 (text/plain)]
_______________________________________________
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic