Opened 4 years ago

Last modified 4 years ago

#17208 new defect

New reported disk leaks in Tor Browser

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-disk-leak
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This document is interesting:

http://www.dfrws.org/2015eu/proceedings/DFRWS-EU-2015-short-presentation-1.pdf

We should investigate if these disk leaks can be fixed.

Child Tickets

TicketStatusOwnerSummaryComponent
#17367newtbb-teamSwap files can contain evidence of browsing historyApplications/Tor Browser

Change History (8)

comment:1 Changed 4 years ago by teor

We could randomise LastWritten in the state file, but unfortunately, on many OSs, the file metadata on disk would record access dates & times anyway. Also see #17188, if we do randomise this, we should randomly *subtract* some time from the times written in the file.

comment:2 in reply to:  1 ; Changed 4 years ago by arthuredelstein

Replying to teor:

We could randomise LastWritten in the state file, but unfortunately, on many OSs, the file metadata on disk would record access dates & times anyway.

Good point. So we would need to modify the file metadata as well. touch is an example of a program that can do this.

Also see #17188, if we do randomise this, we should randomly *subtract* some time from the times written in the file.

Unfortunately, in the case given in the presentation above, we would perhaps need to subtract hours or days to sufficiently protect the user. How much time could be subtracted before we lose the benefits of LastWritten?

Is there any alternative way for tor to detect clock changes without storing the last usage on disk?

comment:3 in reply to:  2 Changed 4 years ago by teor

Replying to arthuredelstein:

Replying to teor:

Also see #17188, if we do randomise this, we should randomly *subtract* some time from the times written in the file.

Unfortunately, in the case given in the presentation above, we would perhaps need to subtract hours or days to sufficiently protect the user. How much time could be subtracted before we lose the benefits of LastWritten?

Is there any alternative way for tor to detect clock changes without storing the last usage on disk?

Tor already detects clock changes by making a TLS connection to the authorities, and using the time they provide. #17188 is simply an additional warning that happens early during startup when we read the state file, rather than later when we make a connection.

If we have to lose it, or make it less reliable, that's ok.
(We might also want to consider removing LastWritten entirely.)

comment:4 Changed 4 years ago by teor

Hmm, if we are going to change file modification or creation dates, we have to do it for *all* files tor and Tor Browser create. Even then, system files and logs associated with Tor Browser will still leak usage times.

I'm not sure if there is a solution here, apart from VMs that are destroyed after use.

comment:5 Changed 4 years ago by gk

Cc: gk added

comment:6 Changed 4 years ago by cypherpunks

Severity: Normal

What is the status on the issues mentioned in: https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf

Been over 2 years since the analysis was done.

comment:7 in reply to:  6 Changed 4 years ago by teor

Replying to cypherpunks:

What is the status on the issues mentioned in: https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf

Been over 2 years since the analysis was done.

This ticket is about a different "leak" of the last used time in the state file.

Please see the tbb-disk-leaks tag at https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak

Many of the leaks in that report are recorded in tickets in the 8000s.

comment:8 Changed 4 years ago by arthuredelstein

I opened a child ticket to specifically look at swap files.

Note: See TracTickets for help on using tickets.