[tor-talk] Review request: TorVM implementation in Qubes OS

Abel Luck abel at guardianproject.info
Fri Oct 19 10:18:25 UTC 2012


adrelanos:
> Abel Luck:
>> adrelanos:
>>> Hi,
>>>
>>> Is it Amnesic or can it be made Amnesic?
>>>
>>> Or in other words.... Can you be sure, that after deleting (or wiping)
>>> the torified AppVM no activity can not be reconstructed with local disk
>>> forensics? Could the torified AppVM be securely wiped without any
>>> leftovers? (Leftovers such as swap, or what else?)
>>
>> Regarding deletion of the VM: I was under the impression secure deletion
>> was not possible on modern SSDs.
>>
>> On the other hand, it should be possible to create an AppVM whose
>> writeable diskspace lies in enitrely in RAM.  I'll investigate this.
>>
>>>
>>> Is Tor's data directory persistent, i.e. does it use Entry Guards?
>>>
>> I've not configured this explicitly, do you have any suggestions?
> 
> Tor Browser Bundle users are using persistent Entry Guards.
> 
> Final goal should be to share the same fingerprint with them (web
> fingerprint, traffic fingerprint for local observer). If you manage to
> use Tor Browser in the AppVM and Entry Guards in the TorVM, the
> fingerprint should be the same. Except, that you added strong security
> by isolation for the case of a browser exploit.
> 
> Whonix uses persistent Entry Guards and Tor Browser.
> 
> Persistent Entry Guards are planed for Tails.
> https://tails.boum.org/todo/persistence_preset_-_tor/
> https://tails.boum.org/todo/persistence_preset_-_bridges/
> 
> Tor Browser is planed for Tails.
> https://tails.boum.org/todo/replace_iceweasel_with_Torbrowser/
> 
> Persistent Entry Guards are considered for Liberte Linux:
> Please see recent thread "[tor-talk] Location-aware persistent guards".
> 
> So the answer is yes, I in most cases I recommend persistence for Entry
> Guards and Tor's data dir. The same goes for Vidalia, since it can be
> used to configure Tor and bridges.
> 
> Some further thoughts on persistent Entry Guards:
> On the other hand, non-persistent Entry Guards are more amnesic. So if
> you decide to add a amnesic feature, that should be also possible to do
> with the TorVM.
> 
> There is also in the thread "[tor-talk] Location-aware persistent
> guards" or in the linked ticket
> https://trac.torproject.org/projects/tor/ticket/2653 are though, that
> non-persistent Entry Guards are better suited for people who travel a
> lot / Live CDs.
> 

Hm, interesting. I definitely need to implement persistent entry guards
then, but providing an amnesiac option will be difficult. When would the
user choose such an option, and where?

>> Here's the tor config:
>>
>> https://github.com/abeluck/qubes-addons/blob/master/qubes-tor/start_tor_proxy.sh
>>
>>> Are hardware serials, such as BIOS DMI information, hdd serials etc.
>>> hidden? (For a more comprehensive list of hardware serials and how to
>>> test if them are visible, you could check Whonix less important
>>> protected identifies as reference. [1])
>>>
>> I'm fairly certain this is the case, seeing as how these are all VMs
>> (xen is the hypervisor), but I've not verifier the hunch so I can't make
>> this claim
>>
>> Hm, if you use the Qubes feature that lets you assign PCI (or USB)
>> devices to a VM, then obviously, no.
>>
>> Thanks for the link, I'll investigate some more.
>>
>>> Cheers,
>>> adrelanos
>>>
>>> [1]
>>> https://sourceforge.net/p/whonix/wiki/Security/#less-important-identifies
>>> _______________________________________________
>>> tor-talk mailing list
>>> tor-talk at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>
>>
>> _______________________________________________
>> tor-talk mailing list
>> tor-talk at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 



More information about the tor-talk mailing list