Opened 7 years ago

Closed 5 years ago

#8040 closed enhancement (fixed)

hiding command line arguments

Reported by: roytam1 Owned by: asn
Priority: Low Milestone:
Component: Archived/Obfsproxy Version:
Severity: Keywords: scramblesuit, shared secret, easy
Cc: phw, irregulator Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There is sensitive command line argument for example obfs2 "--shared-secret" that should not be shown in ps(1)

Child Tickets

Attachments (1)

0001-Add-password-file-for-scramblesuit-UniformDH-passwor.patch (2.2 KB) - added by irregulator 5 years ago.

Download all attachments as: .zip

Change History (14)

comment:1 Changed 5 years ago by asn

Priority: normalminor
Version: Obfsproxy: 0.1.4

comment:2 Changed 5 years ago by asn

withpass is an awkward way of solving this problem btw:
http://census-labs.com/research/sw/withpass

comment:3 Changed 5 years ago by yawning

An alternative approach would be to use setproctitle() (https://pypi.python.org/pypi/setproctitle). The original C routine is a non-portable BSDism, but the python wrapper claims to know how to correctly change this on most common systems.

comment:4 Changed 5 years ago by atagar

On a side note, Stem offers this functionality...

https://stem.torproject.org/api/util/system.html#stem.util.system.set_process_name

/me makes a note to take a peek at how setproctitle did it...

comment:5 Changed 5 years ago by phw

Keywords: scramblesuit shared secret easy added

Note that the same applies to ScrambleSuit and there's interest in having this fixed: https://lists.torproject.org/pipermail/tor-dev/2014-May/006889.html

setproctitle says that it simply wraps PostgreSQL's code: http://doxygen.postgresql.org/ps__status_8c_source.html The module's footprint seems to be rather small so it might not hurt to include it in obfsproxy/TBB. A less complex alternative would be to add a new command line switch to obfsproxy which allows specifying a password file.

edit: If we use setproctitle, there might be a small time window right after process invocation and before setproctitle becoming active in which an adversary might be able to get the password.

Last edited 5 years ago by phw (previous) (diff)

comment:6 Changed 5 years ago by phw

Cc: phw added

comment:7 Changed 5 years ago by atagar

Maybe I'm missing something but did you try the _set_argv() helper I mentioned in Stem? That might provide you a simple, pure python method of doing this without taking on a compiled dependency.

comment:8 Changed 5 years ago by irregulator

Cc: irregulator added

Here's a draft patch implementing --password-file argument for scramblesuit transport. This is only scramblesuit specific though. I think it works but perhaps i have missed something.

comment:9 in reply to:  7 Changed 5 years ago by phw

Replying to atagar:

Maybe I'm missing something but did you try the _set_argv() helper I mentioned in Stem? That might provide you a simple, pure python method of doing this without taking on a compiled dependency.

Isn't that method susceptible to a timing attack too?

comment:10 in reply to:  8 ; Changed 5 years ago by phw

Replying to irregulator:

Here's a draft patch implementing --password-file argument for scramblesuit transport. This is only scramblesuit specific though. I think it works but perhaps i have missed something.

Looks OK but the --password and the --password-file argument should be mutually exclusive and required. You could use subparser.add_mutually_exclusive_group(required=True) for that.

comment:11 in reply to:  10 Changed 5 years ago by irregulator

Replying to phw:

Looks OK but the --password and the --password-file argument should be mutually exclusive and required. You could use subparser.add_mutually_exclusive_group(required=True) for that.

Thanks for pointing this out. I uploaded a new version of the patch.

comment:12 Changed 5 years ago by atagar

Isn't that method susceptible to a timing attack too?

This threw me off for a second. It's not a timing attack (or at least not by the definition I know, and wikipedia uses), but you're right that it would indeed still be vulnerable for a window. And agreed that either a password file or getpass prompt would be better options.

comment:13 Changed 5 years ago by asn

Resolution: fixed
Status: newclosed

Merged and pushed.

Thanks!

Note: See TracTickets for help on using tickets.