hiding command line arguments

There is sensitive command line argument for example obfs2 "--shared-secret" that should not be shown in ps(1)

Trac:
Username: roytam1

added component::archived/obfsproxy easy owner::asn priority::low reporter::roytam1 resolution::fixed scramblesuit secret shared status::closed type::enhancement labels

Trac:
Version: Obfsproxy: 0.1.4 to N/A
Priority: normal to minor

withpass is an awkward way of solving this problem btw: http://census-labs.com/research/sw/withpass

An alternative approach would be to use setproctitle() (https://pypi.python.org/pypi/setproctitle). The original C routine is a non-portable BSDism, but the python wrapper claims to know how to correctly change this on most common systems.

On a side note, Stem offers this functionality...

https://stem.torproject.org/api/util/system.html#stem.util.system.set_process_name

/me makes a note to take a peek at how setproctitle did it...

Note that the same applies to ScrambleSuit and there's interest in having this fixed: https://lists.torproject.org/pipermail/tor-dev/2014-May/006889.html

setproctitle says that it simply wraps PostgreSQL's code: http://doxygen.postgresql.org/ps__status_8c_source.html The module's footprint seems to be rather small so it might not hurt to include it in obfsproxy/TBB. A less complex alternative would be to add a new command line switch to obfsproxy which allows specifying a password file.

edit: If we use setproctitle, there might be a small time window right after process invocation and before setproctitle becoming active in which an adversary might be able to get the password.

Trac:
Keywords: N/A deleted, scramblesuit, shared secret, easy added

Trac:
Cc: N/A to phw

Maybe I'm missing something but did you try the _set_argv() helper I mentioned in Stem? That might provide you a simple, pure python method of doing this without taking on a compiled dependency.

Here's a draft patch implementing --password-file argument for scramblesuit transport. This is only scramblesuit specific though. I think it works but perhaps i have missed something.

Trac:
Username: irregulator
Cc: phw to phw, irregulator

Replying to atagar:

Maybe I'm missing something but did you try the _set_argv() helper I mentioned in Stem? That might provide you a simple, pure python method of doing this without taking on a compiled dependency.

Isn't that method susceptible to a timing attack too?

Replying to irregulator:

Here's a draft patch implementing --password-file argument for scramblesuit transport. This is only scramblesuit specific though. I think it works but perhaps i have missed something.

Looks OK but the --password and the --password-file argument should be mutually exclusive and required. You could use subparser.add_mutually_exclusive_group(required=True) for that.

Trac:
Username: irregulator

0001-Add-password-file-for-scramblesuit-UniformDH-passwor.patch

Trac:
Username: irregulator

Replying to phw:

Looks OK but the --password and the --password-file argument should be mutually exclusive and required. You could use subparser.add_mutually_exclusive_group(required=True) for that.

Thanks for pointing this out. I uploaded a new version of the patch.

Trac:
Username: irregulator

Isn't that method susceptible to a timing attack too?

This threw me off for a second. It's not a timing attack (or at least not by the definition I know, and wikipedia uses), but you're right that it would indeed still be vulnerable for a window. And agreed that either a password file or getpass prompt would be better options.

Merged and pushed.

Thanks!

Trac:
Resolution: N/A to fixed
Status: new to closed

closed