peeling back the layers of tor with egotisticalgiraffe
DESCRIPTION
Selected extracts show how NSA uses a technique with codename EgotisticalGiraffe to attack Tor users through vulnerable software on their computers. The Guardian.TRANSCRIPT
Overall Classification
(U) Overview
• (U) "The Onion Router"• (U) Enables anonymous internet activity
General privacyNon-attributionCircumvention of nation state internet policies
• (U) Hundreds of thousands of usersDissidents (Iran, China, etc)(5115 IIIRE L)(511511IREL) Other targets too!
(U)What isTOR?
The WebwI TOR client
Installed
(U) What isTOR?
ClienlBrowsingThe WebTOR clientInstalled
(U) What isTOR?
• (U) TOR Browser BundlePortable Firefox ao ESR(tbb-firefox.exe)VidaliaPolipoTorButtonTOR
" Idiot-proof"
(U)What isTOR?
(S//SI//REL) The TOR Problem
(TSIISIIIREL) FingerprintingTOR
(TSIISIIIREL) FingerprintingTOR
• (TS//SI//REL) TorButton cares about TORusers being indistinguishable from TOR users
• (TS//SI//REL) We only care about TOR usersversus non-TOR users
• (TS//SI//REL) Thanks to TorButton, it's easy!
(TSIISIIIREL) FingerprintingTOR
(S//SI//REL) The TOR Problem
• (TS//SI//REL) tbb-firefox is barebonesFlash is a no-noNoScript addon pre-installed ...... but not enabled by default!TOR explicitly advises against using any addons orextensions other than TorButton and NoScript
• (TS//SI//REL) Need a native Firefox exploit
(TS//SI//REL) Exploiting TOR
• (TS//SI//REL) ERRONEOUSINGENUITYCommonly known as ERINFirst native Firefox exploit in a long timeOnly works against ~3.0-~6.o.2
• (TS//SI//REL) EGOTISTICALGOATCommonly known as EGGOConfigured for ~~.o-~6.0.2......but the vulnerability also exists in ro.o:
(TS//SI//REL) Exploiting TOR
• (TS//SI//REL) Type confusion vulnerability inE4X
• (TS//SI//REL) Enables arbitrary read/writeaccess to the process memory
• (TS//SI//REL) Remote code execution via theCTypes module
· (U) EGOTISTICALGOAT
• (Ts//si//REL) Can't distinguish OS until on boxThat's okay
• (Ts//si//REL) Can't distinguish Firefox versionuntil on box
That's aIso okay
• (Ts//si//REL) Can't distinguish 64-bit from 32-bit unti I on box
I think you see where this is going
(TS//SI//REL) Exploiting TOR
(S//SI//REL) The TOR Problem
• (TS//SI//REL) Tests on Firefox 10 ESRworked• (TS//SI//REL) Tests on tbb-firefox did not
Gained executionDidn't receive FINI(DIFFERENT
• (TS//SI//REL) Defeated by Prefilter Hash!Requests EGGI: Hash(tor_exit_ip II session_id)Requests FIDI: Hash(target_ip II session_id)
(TSIISIIIREL) Callbacks from TOR
• (TS//SI//REL) Easy fixTurn off prefilter hashingFUNNELOUT
• (TS//SI//REL) OPSEC ConcernsPre-play attacks
PSPsAdversarial Actors
Targets worth it?
(TSIISIIIREL) Callbacks from TOR
(S//SI//REL) The TOR Problem