Delivery-Date: Wed, 22 Apr 2015 16:50:34 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D6C3A1E0117
	for <archiver@seul.org>; Wed, 22 Apr 2015 16:50:32 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 6387435064;
	Wed, 22 Apr 2015 20:50:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 5D43734FD4;
 Wed, 22 Apr 2015 20:50:00 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id lSRLLD-UnYTH; Wed, 22 Apr 2015 20:50:00 +0000 (UTC)
Received: from turtles.fscked.org (turtles.fscked.org [76.73.17.194])
 by eugeni.torproject.org (Postfix) with ESMTP id 33AAE34FD1;
 Wed, 22 Apr 2015 20:50:00 +0000 (UTC)
Date: Wed, 22 Apr 2015 13:49:42 -0700
From: Mike Perry <mikeperry@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150422204942.GF20018@torproject.org>
References: <CAFN1edqPWLSm-Ru6ZcQwa741YPqXtDOQBZxBnYVmruRhN4NxuA@mail.gmail.com>
 <5537F142.7030002@sonsorol.org>
MIME-Version: 1.0
In-Reply-To: <5537F142.7030002@sonsorol.org>
Cc: tor-relays@lists.torproject.org
Subject: Re: [tor-talk] Quantum Insert detection for everyone
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============8843464067380284940=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============8843464067380284940==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="/QKKmeG/X/bPShih"
Content-Disposition: inline


--/QKKmeG/X/bPShih
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I'm being a jerk and cross-posting to tor-relays, because I want to make
sure that relay operators are aware of the differences in the Snort vs
HoneyBadger approach.

Chris Dagdigian:
>=20
> I run a US-based exit node and would be interested in a way to run
> this software without compromising the users exiting my node.
> Looking forward to your additional writeups - especially anything
> geared towards exit nodes and quantum insert detection.

I too look forward to David's writeup!

For what it's worth, I think HoneyBadger is likely to be safer for
exits, more comprehensive, more accurate, less noisy, and more high
performance than a Snort-based solution.

HoneyBadger is focused only on this particular attack and is written in
golang, whereas Snort has tons of rules for everything and is written in
C. This means that HoneyBadger will have a much smaller vulnerability
surface and should be much harder to directly exploit than Snort. Since
we're talking about detecting and capturing attacks from well funded
state/world-class adversaries here (wow, what a world), vulnerability
surface minimization and general memory safety are top priority.

Snort is also vulnerable to tailored attacks designed to flood its logs
and/or avoid detection. Snort is particularly susceptible to missing
stateful attacks designed to subvert its stateless rule-based approach to
detection. Several types of TCP injection attacks that rely on TCP
reassembly will likely fall into this category (type 4 in:
https://honeybadger.readthedocs.org/en/latest/#tcp-injection-attacks).

HoneyBadger also appears to have better logging options than the Snort
rules. David has been in contact with malware researchers who were quite
insistent that to properly analyze 0day, a single evilpacket is very
likely to be insufficient -- context is essential, especially if the
attacker wants to obfuscate the attack or otherwise avoid exploit
extraction.

Hence the need to provide optional full-take and rolling logging options
that make it easier to extract the full TCP stream of a tampered
connection, as well as related concurrent traffic (such as a stream from
a related HTTP redirect to an ephemeral URL). I've been talking with
David about ways to place these logs on a ramdisk or an ephemerally
encrypted partition, so that when detailed logs are needed, they can be
handled as safely as possible.

> >David Stainton <mailto:dstainton415@gmail.com>
> >April 22, 2015 at 2:41 PM
> >Greetings,
> >
> >Did you all see this Wired article about Quantum Insert detection?
> >
> >https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quan=
tum-insert-hacks
> >
> >These TCP injection attacks are used by various entities around the
> >world (not just NSA!) to target individuals for surveillance or
> >perhaps to add their computers to a botnet for other purposes.
> >
> >If you do not use a VPN or Tor you can run "Quantum Insert" detection
> >on your computer and detect when you receive an attack attempt.
> >However be advised that proper sandboxing is important here because
> >intrusion detection and protocol anylsis tools are notoriously
> >insecure and get pwned all the time.
> >
> >If you are a Tor exit relay operator you have the options of running
> >detection software; However you should not publish the results
> >publicly without mixing in some noise or your published data might
> >make it possible for some adversaries to deanonymize Tor users. If
> >your country has strict telecommunications laws then it might only be
> >legal for you to perform this type of detection if you do not perform
> >logging.
> >
> >For the past several months... in my free time I've been slowly
> >developing a very comprehensive TCP injection attack detection tool
> >called HoneyBadger:
> >
> >https://github.com/david415/HoneyBadger
> >
> >Quantum Insert is a NSA codeword for "TCP injection attack", however
> >either of these terms are too vague. During my research I was able to
> >classify 4 different types of TCP injection attack. When I say that
> >HoneytBadger is comprehensive what I mean is that Honeybadger can
> >detect ALL of these types of TCP injection attack types... I describe
> >them briefly here:
> >
> >https://honeybadger.readthedocs.org/en/latest/
> >
> >Here's the Fox-IT blog post about their Quantum Insert detection softwar=
e:
> >http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
> >
> >I am going to work on writing a much more comprehensive blog post; it
> >will be filled with gory technical details AND it will include
> >information on how to use HoneyBadger. HoneyBadger has optional (off
> >by default) full-take logging which could enable you to capture a
> >zero-day payload from a TCP attack; you should then responsibly
> >disclose to the software vendor or contact a malware analyst to help
> >out!
> >
> >
> >Sincerely,
> >
> >David Stainton

--=20
Mike Perry

--/QKKmeG/X/bPShih
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVOAlmAAoJEEEC+JXS8eGGN18QALE+irHyCle99TPyMtotjfPV
kc67Hk4h5XGBaN8lrt/qTkJZ+VIBIBMlXTxceAdg6ah33r5bwGVfSqhnrbx+WgiD
9K7/mC/W001lcBqQIlspMMAz/N+IBUGRAPYxNdkZ7hjfXHa4nz1/1/sJDTvyfdj4
kVITI51xrNNdQVI5/zOk1JntAfZHdM9MXvilHCjoJU2aL24K8oduRUy039ma6KKe
REYhi99Y6S/zI9e2GFhg4G9SXzYcJCgkkM3OQ88GkN5Bf3NBRbN5HaZ/EzCizA8w
BwvjNAk9lwBELlLdFE17TCsuPQmGTwjeyjL30oc1IK9HuKNe9Z13yA6SG1176tkJ
YJCCV7+iwtPz9KnkVHMTphNY4oTwKq16pObwA8UvqCs1n91smSC2qB/zaDo+ejTS
EZzhgMSIHrRJCvuGbCHNW56cdJw+56gVIVKXNl0a7PlS1EMPD+esML/GCtSJ8L2R
8YbLABL4zC1wjTIDf4E8pIm1Ja+mYP5L5bIPCBbCesPxWumUE7lqgyPMc4lQz2Xu
0+g8BDL5dSIYN1zQnWZxKKoH9sMaqEs9mzf7f8pPbbJ9dHztOZLrtaHSgvzrdJgh
4s0+g6jRmebQPKFtkjVXdR8B7hK9aS63gWdPOlinV7BNcYbShmLePgYvdI8YRI2i
pqWWTVazTsl/CZGxe4NI
=qEsN
-----END PGP SIGNATURE-----

--/QKKmeG/X/bPShih--

--===============8843464067380284940==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============8843464067380284940==--

