Tor + SELinux sandbox = leak proof without VM overhead?
coderman
coderman at gmail.com
Mon Aug 23 17:56:53 UTC 2010
On Sat, Aug 21, 2010 at 5:55 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> ...
> I think it's obvious that the best way of using tor is running your
> torrified apps in a VM which can only access the outside world via
> TOR. This provides the highest protection from network leaks and also
> partially thwarts fingerprinting. But I can only assume that the
> 'cost' (performance, complexity, etc) of using a VM for tor is too
> high for many people— otherwise we would insist that anyone who wants
> anonymity operate that way.
not a silver bullet, but tends to fail safer.
the "costs" include:
- elevated privs for accelerated virtualization / para-virtualization.
Tor by default does not require such.
- additional resource consumption. isolated os, network stacks, and
applications require additional memory and CPU.
- only solve part of the problem; you still need Torbutton and other
application level protections, even if direct proxy-bypass type
disclosures of endpoint or identity are mitigated.
ideally this model would apply across the entire user experience, see qubes:
http://qubes-os.org/Home.html
> Has anyone looked into using the SELINUX sandbox
> (http://danwalsh.livejournal.com/28545.html) to prevent leaks? The
> sandbox provides a high degree of application isolation. It looks
> like it would be pretty much trivial to add an option to the sandbox
> front end program to only allow accesses to the tor socks port from
> the isolated app.
developing and maintaining a robust RSBAC policy is non-trivial. that
said, these are complementary techniques. a strong RSBAC model around
and within virtual machine based isolation provides additional defense
against application errors, vm break-outs, etc.
it doesn't help that a lot of the good SELinux policy development /
management tools are closed source / proprietary. it's not the only
game in town...
> With this users on a supporting platforms wouldn't have to use
> wireshark to figure out if, say, pidgin, is leaking via DNS. They
> could simply run the app inside the sandbox and be sure of it.
there's RSBAC bypass just like vm break-out; anyone claiming
infallibility is smoking something or selling you lies...
> Does this sound like a practice which should be refined and recommended?
absolutely! you could submit a series of policies for various Tor
modes of operation and solicit feedback / commit to contrib.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list