Saturday, November 5, 2011

Let us stop with the buzz on TOR

Hi to all

Since a few weeks a huge buzz has arised around the TOR security and especially regarding the attack we have designed and experimented. I decided not to react, not to feed the buzz since I do not like it and if controversy may sometimes be constructive, in the present case, things have gone too far: stupid comments on comments from others (on which basis since we have published only a very few things yet?), personal attacks close sometimes to libelling, huge emotions, doubts and fear that may be understood however, collective hysteria...

However, going on sticking away would in some sense backing this buzz. It is time to remind that the only possible goal is to have more security, to determine whether really our attack can put seriously TOR security into question and go ahead to try to find solutions to improve. Security is a too serious thing to be only a playground for buzz. Even if -- especially as a former military cryptanalyst -- I do not fully agree on a few conceptual choices in TOR, there must be no doubt for anyone about our will to contribute to the TOR security and this from the very beginning. We must not forget that a few people who use TOR are putting sometimes their life into danger (political opponents, militaries...) for a more democratic and free society. In this respect, we cannot waste a precious time. Up to me, the issue is very clear: there is absolutely no doubt that we need a solution like TOR even this solution is far from being perfect. But is there such a thing as a perfect solution, especially if you add political and national security issues?

When I decided to work on TOR -- by mid of 2010 -- I was just interested in the crypto part, looking for some application of the concept of dynamic cryptographic trapdoor that I had imagined a few years ago. So far I could test it only in non public yet real networks. Hence it was not possible to publish anything on those results. So at the beginning, I had nothing against TOR and I still don't.

When it was clear that TOR could also succumbed to this concept, I imagined the attack under the present light of media. If I have a rather good knowledge of network technology, it was not sufficient and I needed to have more skilled guys, especially to find ways to force 3-node routes through compromised nodes with a very high probability. Two of my best students of our N&IS Specialised master, Seun from Nigeria and Leonard from Tanzania -- two really excellent students -- have joined the party on April 2011. They have worked very hard, have done an excellent job both at the academic level and at the operational/technical level. I can say that as a tutor, I am really proud of their work. Of course, for anyone who knows how research works, you never totally start from scratch and Seun and Leonard's first tasks were to establish a bibliography on the existing network approaches used by previous researchers: Murdoch, Evans, Danezis, Pappas, Bendiken... who all have been mentioned in the slides. Then they have developped their own tools/approaches to fit my operational intent. Just as it is required in any research work. And other people doing hacking or research are doing the same.

We have just done research, serious, good and operational research up to me. We have tested our attack in conditions close to the reality. People will make their own ideas. I decided at that time not to make buzz, just to present this work in hacking conferences. Unfortunately my employer -- an academic institution -- has required from me to present my attack to French journalists. I have accepted since an employer is always right...or you have to resign. But at the very end, I did not really mind: who cares about news published in French in the world? Then things went wrong and the hype created by others has gone too far. The TOR foundation contacted me in a form that was probably not very fair -- to my perception at last -- and myself I have to make a throrough criticism of myself when facing the resulting buzz. After 22 years in the Army (in the French Marine Corps Infantry), I suppose that I have kept a not very flexible and accomodating mind. Sorry for that. We have decided that it was necessary to restore the contact with the TOR foundation and its president Roger Dingledine to go beyond our differences in opinions, views and interpretations and go ahead towards more security in TOR in a more constructive way. Any other end would have been totally irresponsible from Seun and me.

Our attack works not because the TOR source code has flaws. Once again, it is well-written and in a secure way. It is more related to conceptual issues. We have just analyzed the TOR network at a higher level, by considering it as a critical infrastructure and using a large, multi-level and coordinated attacks. Up to me according to personal information, which are confirmed partly on the TOR website, I am convinced that China (especially in 2009 and late 2010) has already tried similar attacks and has been, at least partly successful. Of course we cannot accept that.

The main problem comes from the fact that
  1. the TOR network relies on volunteers which most of the time do not secure their computers. That is dramatic. Just imagine the security nightmare in a big company where every user would be free to choose the operationg system, the way to configure it... We will not publish all what we have detected. But be sure that we have seen horrible things as far as security is concerned. In this respect, we think that an overall computer security policy should be enforced and any OR not complying with it should be banned from the network.
  2. TCP is a nightmare as well and this is the main issue. I am not a network expert but I have the feeling that it will difficult to built more security at that level. We have managed to return a few of the TOR protections against DDoS against TOR itself when considering local, surgical strikes.
But to be honest, being able to force 3-node circuits can be exploited only if there exists a significant part of ORs that have been compromised. So back to the first point.

Up to me there is some hope and technical improvements should be possible. Among many possible ideas. we propose:
  • as an emergency measure, to ban weak ORs that are not secure enough. This requires to make fingerprinting and active auditing what we did actually but only partly for legal reasons.
  • to add steganography techniques in TOR. Remember that using cryptography focuses attention and hence attacks. Why not a steganographic version of TOR?
  • to limit not so say prevent the installation of dynamic cryptographic backdoors (memory protection by hardware-based virtualization for instance, malicious cryptography techniques to prevent memory tampering, process protection techniques [we have developped a few in our lab]...).
Seun intends to dedicate his PhD thesis to the enhancement of the TOR security with innovative propositions. He is just waiting for a PhD grant. We are ready to contribute and to be involved anyway.

We have sent all source code and slides to the TOR foundation in order to help it to design and release a potentially more secure version of TOR. Recent exchanges with Roger seem to show that somehow our work is considered as significant and was not greatly exaggerated. That is sufficient to us. I let him confirm or not. We will release the source code and data as scheduled on November 10th (right after PacSec 2011) unless the TOR foundation recommends to wait a little bit more. As researchers and hackers we just need our contribution to be recognized. If it has helped finally to take part to the enhancement of overall TOR security, well we will proud of that.

Special thanks to Dragos, Rodrigo and Filipe.

Eric Filiol & Oluwaseun REMI-OMOSOWON