[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Practical deanonymization using CPU load covert channels

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Practical deanonymization using CPU load covert channels
From: Ethan White <ethanwhite@xxxxxxxxxx>
Date: Sat, 30 Jul 2016 14:51:57 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 30 Jul 2016 14:52:30 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rogers.com; s=s2048; t=1469904718; bh=cBdLpfPJ10ow/UIelZub3bFKlaxzytwEt4Wr0hjJK+o=; h=Date:From:To:Subject:References:In-Reply-To:From:Subject; b=GrzFiS5dmhYmIrlxkCxAHMLUI0gyJBNmLYue9duYUNPEDnzy8fiwaIea4brnLlpNK0yHje31TdLtLN4JHNzwIZLHVUDPiMV5N2CqpAbS3NeCNYQd9g6svffr1F4OXxE8ME53rIxCa66TY/qLtX+bsRqNj+NmwwPKk3dzd6KpVyTV/puJPWuL9uNwmFbpr9/fm5OCyF1OvI2b/unoLj9g7MrbPIVdym62byMkS8BGp0RIigHBTrLEQ7m9SFemyXlT8dFy5H0LTKdd4CQCycor59yn0TxEWB3pX/YDp6k5TJTWWrDVXeqp1aDD/njgrQjQLzQ6yg1kPnsPwC67b+7hXg==
In-reply-to: <17835a584e48f8749d46ca5c41454309@openmailbox.org>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <17835a584e48f8749d46ca5c41454309@openmailbox.org>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0

A recap (since this thread is about 2 weeks old): Ping latency decreaseswhen CPU usage is high. If an adversary can influence CPU usage (i.e.JavaScript, GZIP decompression, expensive public-key crypto), then theycan use this as a covert channel to transmit data. (Imagine: someonecompromises a SecureDrop installation, and adds JavaScript, or a seriesof large, GZIP-compressed pages in iframes, to cause a distinctive CPUusage pattern. They then observe ping latencies of hundreds of peoplethey suspect of being whistleblowers (imagine: every NSA employee). Thisshould all be possible over the open Internet, but it may be necessaryto wait for the target to use public Wi-Fi or similar to get lowerlatencies and/or not be thwarted by a NAT.)

First off, when I initially posted here, I wasn't sure why ping latencywould decrease. some_guy123 suggested that it is CPU c-states causingit, and I can confirm that disabling c-states does completely preventthis attack. This looks promising. However, I've seen it increase idlewattage by up to 60%, and I've seen it increase the CPU temperature byup to 10 degrees Celsius, so more casual users would possibly want toavoid this.

> Limiting CPU resources for Tor as opposed to the browser component iswhat counts? (both are separate in the Whonix model)

First off, just limiting the CPU usage won't prevent this attack. Forexample, using very simple tools (i.e. ping and Python scripts), I wasable to detect the presence of a process using only 50% of only one CPU.As long as the adversary has the ability to influence CPU usage, theycan utilize this covert channel.

> The cgroup equivalent for a hypervisor is to limit the number of CPUsthe Tor VM has access to? (currently one core - on a quad-core systemthat's the 25% limit you recommend)

> Setting the Tor process to use nice 19 should take care of the pingtimings you mention?

What I was trying to get at was the idea that we could run everythinguntrusted in a VM, which I creatively call the /untrusted VM/. Thisincludes processes such as Tor Browser or Thunderbird or perhaps evenGPG that perform complex computations on potentiallyadversary-controlled data that would could for distinctive CPU usagepatterns. Then, we could run a program such as `stress` (available inthe Debian repositories) with a niceness of +19 in order to force theCPU usage on that VM to 100% all the time. Thus, although processesrunning in that VM wouldn't be slowed down by the running instance of`stress`, as it's running with a high niceness, they would be unable toincrease CPU usage at all. This completely thwarts the attack. It mightbe a good idea to limit the VM to 25% CPU to save power.

However, the suggestion of disabling c-states more or less obsolescesthis suggestion, as the `stress` solution could easily decrease batterylife by 2-3x, whereas I've never seen wattage even double from disablingc-states.

> Taking into account that some users connect to the clearnet usingsystem running Whonix, do these mitigations still hold up?

Unless I've missed something, this shouldn't affect either mitigationI've proposed. However, this would put users at risk of a vanilla"Load-based Covert Channels between Xen Virtual Machines"-style attack.

To be clear, at this point, I'm leaning towards providing an option inTails and Whonix to disable c-states, perhaps in the form of a GRUBentry (this would likely be a very small change in an installationscript); see [1]. However, I think we wouldn't want to enable it bydefault; I'd guess that most users aren't willing to sacrifice 60% oftheir battery life to prevent this attack.


1. https://access.redhat.com/articles/65410

On 15/07/16 10:37 PM, bancfc@xxxxxxxxxxxxxxx wrote:

Hi. Whonix collaborator here. We've given a lot of thought to manytypes of clock based attacks including the one you are researching sowe are interested to know more about how this applies to our platform.
To run Whonix in KVM please see the relevant steps here [0]. Let meknow if you have any further questions on setting it up.
Re-adjusting some of the terms you use to apply to VMs:
* Limiting CPU resources for Tor as opposed to the browser componentis what counts? (both are separate in the Whonix model)
* The cgroup equivalent for a hypervisor is to limit the number ofCPUs the Tor VM has access to? (currently one core - on a quad-coresystem that's the 25% limit you recommend)
* Setting the Tor process to use nice 19 should take care of the pingtimings you mention?
* Taking into account that some users connect to the clearnet usingsystem running Whonix, do these mitigations still hold up?
***

[0] https://www.whonix.org/wiki/KVM#First_time_user.3F


--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Practical deanonymization using CPU load covert channels
  - From: Spencer

References:
- Re: [tor-talk] Practical deanonymization using CPU load covert channels
  - From: bancfc

Prev by Author: Re: [tor-talk] Riffle: an efficient communication system with strong anonymity
Next by Author: Re: [tor-talk] Practical deanonymization using CPU load covert channels
Previous by thread: Re: [tor-talk] Practical deanonymization using CPU load covert channels
Next by thread: Re: [tor-talk] Practical deanonymization using CPU load covert channels
Index(es):
- Author
- Thread