Re: [tor-talk] Review request: TorVM implementation in Qubes OS

[adrelanos <adrelanos@xxxxxxxxxx>]

Abel Luck:
> adrelanos:
>> Hi,
>>
>> Is it Amnesic or can it be made Amnesic?
>>
>> Or in other words.... Can you be sure, that after deleting (or wiping)
>> the torified AppVM no activity can not be reconstructed with local disk
>> forensics? Could the torified AppVM be securely wiped without any
>> leftovers? (Leftovers such as swap, or what else?)
> 
> Regarding deletion of the VM: I was under the impression secure deletion
> was not possible on modern SSDs.
> 
> On the other hand, it should be possible to create an AppVM whose
> writeable diskspace lies in enitrely in RAM.  I'll investigate this.
> 
>>
>> Is Tor's data directory persistent, i.e. does it use Entry Guards?
>>
> I've not configured this explicitly, do you have any suggestions?

Tor Browser Bundle users are using persistent Entry Guards.

Final goal should be to share the same fingerprint with them (web
fingerprint, traffic fingerprint for local observer). If you manage to
use Tor Browser in the AppVM and Entry Guards in the TorVM, the
fingerprint should be the same. Except, that you added strong security
by isolation for the case of a browser exploit.

Whonix uses persistent Entry Guards and Tor Browser.

Persistent Entry Guards are planed for Tails.
https://tails.boum.org/todo/persistence_preset_-_tor/
https://tails.boum.org/todo/persistence_preset_-_bridges/

Tor Browser is planed for Tails.
https://tails.boum.org/todo/replace_iceweasel_with_Torbrowser/

Persistent Entry Guards are considered for Liberte Linux:
Please see recent thread "[tor-talk] Location-aware persistent guards".

So the answer is yes, I in most cases I recommend persistence for Entry
Guards and Tor's data dir. The same goes for Vidalia, since it can be
used to configure Tor and bridges.

Some further thoughts on persistent Entry Guards:
On the other hand, non-persistent Entry Guards are more amnesic. So if
you decide to add a amnesic feature, that should be also possible to do
with the TorVM.

There is also in the thread "[tor-talk] Location-aware persistent
guards" or in the linked ticket
https://trac.torproject.org/projects/tor/ticket/2653 are though, that
non-persistent Entry Guards are better suited for people who travel a
lot / Live CDs.

> Here's the tor config:
> 
> https://github.com/abeluck/qubes-addons/blob/master/qubes-tor/start_tor_proxy.sh
> 
>> Are hardware serials, such as BIOS DMI information, hdd serials etc.
>> hidden? (For a more comprehensive list of hardware serials and how to
>> test if them are visible, you could check Whonix less important
>> protected identifies as reference. [1])
>>
> I'm fairly certain this is the case, seeing as how these are all VMs
> (xen is the hypervisor), but I've not verifier the hunch so I can't make
> this claim
> 
> Hm, if you use the Qubes feature that lets you assign PCI (or USB)
> devices to a VM, then obviously, no.
> 
> Thanks for the link, I'll investigate some more.
> 
>> Cheers,
>> adrelanos
>>
>> [1]
>> https://sourceforge.net/p/whonix/wiki/Security/#less-important-identifies
>> _______________________________________________
>> tor-talk mailing list
>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk