[tor-talk] Hidden service security w. Apache/Win32

Ondrej Mikle ondrej.mikle at gmail.com
Mon Feb 20 19:57:18 UTC 2012


On 02/20/2012 05:06 PM, Ralf-Philipp Weinmann wrote:
> On 2012-02-19 19:58 CET, Ondrej Mikle wrote:
> 
>> Addendum for truly "uberparanoid" installation:
>>
>> [various "best practices"]
>>
>> With the uberparanoid installation, the greatest risk is a return-to-libc-style
>> attack on Tor where attacker instructs Tor to make circuit to a node controlled
>> by attacker, thus revealing IP.
> 
> So this is the part where you should realize how futile all of that pain of setting up policies is…

I disagree. Even without RBAC, grsecurity makes ROP-style attacks damn hard.
Many tricks I've seen in defeating ASLR and other anti-ROP mitigations required
some side-channel knowledge. Which is where the policy can do good job at
stopping the attacker to gain such side-channel information.

Since with gentoo you compile everything with your own settings of
compiler/linker and whatnot, that alone makes it hard for attacker to search for
"gadgets" (pieces of code that can be used for ROP).

Is the additional RBAC policy worth it? Depends on your threat model. I've had a
server running with grsecurity RBAC enabled for experimentation several years
ago. The policies took a few days to write, but that's far from "unfeasible".

Ondrej


More information about the tor-talk mailing list