Filename: 171-separate-streams.txt Title: Separate streams across circuits by connection metadata Author: Robert Hogan, Jacob Appelbaum, Damon McCoy, Nick Mathewson Created: 21-Oct-2008 Modified: 7-Dec-2010 Status: Closed Implemented-In: 0.2.3.3-alpha Summary: We propose a new set of options to isolate unrelated streams from one another, putting them on separate circuits so that semantically unrelated traffic is not inadvertently made linkable. Motivation: Currently, Tor attaches regular streams (that is, ones not carrying rendezvous or directory traffic) to circuits based only on whether Tor circuit's current exit node supports the destination, and whether the circuit has been dirty (that is, in use) for too long. This means that traffic that would otherwise be unrelated sometimes gets sent over the same circuit, allowing the exit node to link such streams with certainty, and allowing other parties to link such streams probabilistically. Older versions of onion routing tried to address this problem by sending every stream over a separate circuit; performance issues made this unfeasible. Moreover, in the presence of a localized adversary, separating streams by circuits increases the odds that, for any given linked set of streams, at least one will go over a compromised circuit. Therefore we ought to look for ways to allow streams that ought to be linked to travel over a single circuit, while keeping streams that ought not be linked isolated to separate circuits. Discussion: Let's call a series of inherently-linked streams (like a set of streams downloading objects from the same webpage, or a browsing session where the user requests several related webpages) a "Session". "Sessions" are a necessarily a fuzzy concept. While users typically consider some activities as wholly unrelated to each other ("My IM session has nothing to do with my web browsing!"), the boundaries between activities are sometimes hard to determine. If I'm reading lolcats in one browser tab and reading about treatments for an embarrassing disease in another, those are probably separate sessions. If I search for a forum, log in, read it for a while, and post a few messages on unrelated topics, that's probably all the same session. So with the proviso that no automated process can identify sessions 100% accurately, let's see which options we have available. Generally, all the streams on a session come from a single application. Unfortunately, isolating streams by application automatically isn't feasible, given the lack of any nice cross-platform way to tell which local process originated a given connection. (Yes, lsof works. But a quick review of the lsof code should be sufficient to scare you away from thinking there is a portable option, much less a portable O(1) option.) So instead, we'll have to use some other aspect of a Tor request as a proxy for the application. Generally, traffic from separate applications is not in the same session. With some applications (IRC, for example), each stream is a session. Some applications (most notably web browsing) can't be meaningfully split into sessions without inspecting the traffic itself and maintaining a lot of state. How well do ports correspond to sessions? Early versions of this proposal focused on using destination ports as a proxy for application, since a connection to port 22 for SSH is probably not in the same session as one to port 80. This only works with some applications better than others, though: while SSH users typically know when they're on port 22 and when they aren't, a web browser can be coaxed (though img urls or any number of releated tricks) into connecting to any port at all. Moreover, when Tor gets a DNS lookup request, it doesn't know in advance which port the resulting address will be used to connect to. So in summary, each kind of traffic wants to follow different rules, and assuming the existence of a web browser and a hostile web page or exit node, we can't tell one kind of traffic from another by simply looking at the destination:port of the traffic. Fortunately, we're not doomed. Design: When a stream arrives at Tor, we have the following data to examine: 1) The destination address 2) The destination port (unless this a DNS lookup) 3) The protocol used by the application to send the stream to Tor: SOCKS4, SOCKS4A, SOCKS5, or whatever local "transparent proxy" mechanism the kernel gives us. 4) The port used by the application to send the stream to Tor -- that is, the SOCKSListenAddress or TransListenAddress that the application used, if we have more than one. 5) The SOCKS username and password, if any. 6) The source address and port for the application. We propose to use 3, 4, and 5 as a backchannel for applications to tell Tor about different sessions. Rather than running only one SOCKSPort, a Tor user who would prefer better session isolation should run multiple SOCKSPorts/TransPorts, and configure different applications to use separate ports. Applications that support SOCKS authentication can further be separated on a single port by their choice of username/password. Streams sent to separate ports or using different authentication information should never be sent over the same circuit. We allow each port to have its own settings for isolation based on destination port, destination address, or both. Handling DNS can be a challenge. We can get hostnames by one of three means: A) A SOCKS4a request, or a SOCKS5 request with a hostname. This case is handled trivially using the rules above. B) A RESOLVE request on a SOCKSPort. This case is handled using the rules above, except that port isolation can't work to isolate RESOLVE requests into a proper session, since we don't know which port will eventually be used when we connect to the returned address. C) A request on a DNSPort. We have no way of knowing which address/port will be used to connect to the requested address. When B or C is required but problematic, we could favor the use of AutomapHostsOnResolve. Interface: We propose that {SOCKS,Natd,Trans,DNS}ListenAddr be deprecated in favor of an expanded {SOCKS,Natd,Trans,DNS}Port syntax: ClientPortLine = OptionName SP (Addr ":")? Port (SP Options?) OptionName = "SOCKSPort" / "NatdPort" / "TransPort" / "DNSPort" Addr = An IPv4 address / an IPv6 address surrounded by brackets. If optional, we default to 127.0.0.1 Port = An integer from 1 through 65535 inclusive Options = Option Options = Options SP Option Option = IsolateOption / GroupOption GroupOption = "SessionGroup=" UINT IsolateOption = OptNo ("IsolateDestPort" / "IsolateDestAddr" / "IsolateSOCKSUser"/ "IsolateClientProtocol" / "IsolateClientAddr") OptPlural OptNo = "No" ? OptPlural = "s" ? SP = " " UINT = An unsigned integer All options are case-insensitive. The "IsolateSOCKSUser" and "IsolateClientAddr" options are on by default; "NoIsolateSOCKSUser" and "NoIsolateClientAddr" respectively turn them off. The IsolateDestPort and IsolateDestAddr and IsolateClientProtocol options are off by default. NoIsolateDestPort and NoIsolateDestAddr and NoIsolateClientProtocol have no effect. Given a set of ClientPortLines, streams must NOT be placed on the same circuit if ANY of the following hold: * They were sent to two different client ports, unless the two client ports both specify a "SessionGroup" option with the same integer value. * At least one was sent to a client port with the IsolateDestPort active, and they have different destination ports. * At least one was sent to a client port with IsolateDestAddr active, and they have different destination addresses. * At least one was sent to a client port with IsolateClientProtocol active, and they use different protocols (where SOCKS4, SOCKS4a, SOCKS5, TransPort, NatdPort, and DNS are the protocols in question) * At least one was sent to a client port with IsolateSOCKSUser active, and they have different SOCKS username/password values configurations. (For the purposes of this option, the username/password pair of ""/"" is distinct from SOCKS without authentication, and both are distinct from any non-SOCKS client's non-authentication.) * At least one was sent to a client port with IsolateClientAddr active, and they came from different client addresses. (For the purpose of this option, any local interface counts as the same address. So if the host is configured with addresses 10.0.0.1, 192.0.32.10, and 127.0.0.1, then traffic from those addresses can leave on the same circuit, but traffic to from 10.0.0.2 (for example) could not share a circuit with any of them.) These rules apply regardless of whether the streams are active at the same time. In other words, if the rules say that streams A and B must not be on the same circuit, and stream A is attached to circuit X, then stream B must never be attached to stream X, even if stream A is closed first. Alternative Interface: We're cramming a lot onto one line in the design above. Perhaps instead it would be a better idea to have grouped lines of the form: StreamGroup 1 SOCKSPort 9050 TransPort 9051 IsolateDestPort 1 IsolateClientProtocol 0 EndStreamGroup StreamGroup 2 SOCKSPort 9052 DNSPort 9053 IsolateDestAddr 1 EndStreamGroup This would be equivalent to: SOCKSPort 9050 SessionGroup=1 IsolateDestPort NoIsolateClientProtocol TransPort 9051 SessionGroup=1 IsolateDestPort NoIsolateClientProtocol SOCKSPort 9052 SessionGroup=2 IsolateDestAddr DNSPort 9053 SessionGroup=2 IsolateDestAddr But it would let us extend range of allowed options later without having client port lines group without bound. For example, we might give different circuit building parameters to different session groups. Example of use: Suppose that we want to use a web browser, an IRC client, and a SSH client all at the same time. Let's assume that we want web traffic to be isolated from all other traffic, even if the browser makes connections to ports usually used for IRC or SSH. Let's also assume that IRC and SSH are both used for relatively long-lived connections, and we want to keep all IRC/SSH sessions separate from one another. In this case, we could say: SOCKSPort 9050 SOCKSPort 9051 IsolateDestAddr IsolateDestPort We would then configure our browser to use 9050 and our IRC/SSH clients to use 9051. Advanced example of use, #2: Suppose that we have a bunch of applications, and we launch them all using torsocks, and we want to keep each applications isolated from one another. We just create a shell script, "torlaunch": #!/bin/bash export TORSOCKS_USERNAME="$1" exec torsocks $@ And we configure our SOCKSPort with IsolateSOCKSUser. Or if we're on Linux and we want to isolate by application invocation, we would change the TORSOCKS_USERNAME line to: export TORSOCKS_USERNAME="`cat /proc/sys/kernel/random/uuid`" Advanced example of use, #2: Now suppose that we want to achieve the benefits of the first example of use, but we are stuck using transparent proxies. Let's suppose this is Linux. TransPort 9090 TransPort 9091 IsolateDestAddr IsolateDestPort DNSPort 5353 AutomapHostsOnResolve 1 Here we use the iptables --cmd-owner filter to distinguish which command is originating the packets, directing traffic from our irc client and our SSH client to port 9091, and directing other traffic to 9090. Using AutomapHostsOnResolve will confuse ssh in its default configuration; we'll need to find a way around that. Security Risks: Disabling IsolateClientAddr is a pretty bad idea. Setting up a set of applications to use this system effectively is a big problem. It's likely that lots of people who try to do this will mess it up. We should try to see which setups are sensible, and see if we can provide good feedback to explain which streams are isolated how. Performance Risks: This proposal will result in clients building many more circuits than they do today. To avoid accidentally hammering the network, we should have in-process limits on the maximum circuit creation rate and the total maximum client circuits. Specification: The Tor client circuit selection process is not entirely specified. Any client circuit specification must take these changes into account. Implementation notes: The more obvious ways to implement the "find a good circuit to attach to" part of this proposal involve doing an O(n_circuits) operation every time we have a stream to attach. We already do such an operation, so it's not as if we need to hunt for fancy ways to make it O(1). What will be harder is implementing the "launch circuits as needed" part of the proposal. Still, it should come down to "a simple matter of programming." The SOCKS4 spec has the client provide authentication info when it connects; accepting such info is no problem. But the SOCKS5 spec has the client send a list of known auth methods, then has the server send back the authentication method it chooses. We'll need to update the SOCKS5 implementation so it can accept user/password authentication if it's offered. If we use the second syntax for describing these options, we'll want to add a new "section-based" entry type for the configuration parser. Not a huge deal; we already have kludged up something similar for hidden service configurations. Opening circuits for predicted ports has the potential to get a little more complicated; we can probably get away with the existing algorithm, though, to see where its weak points are and look for better ones. Perhaps we can get our next-gen HTTP proxy to communicate browser tab or session into to tor via authentication, or have torbutton do it directly. More design is needed here, though. Alternative designs: The implementation of this option may want to consider cases where the same exit node is shared by two or more circuits and IsolateStreamsByPort is in force. Since one possible use of the option is to reduce the opportunity of Exit Nodes to attack traffic from the same source on multiple ports, the implementation may need to ensure that circuits reserved for the exclusive use of given ports do not share the same exit node. On the other hand, if our goal is only that streams should be unlinkable, deliberately shunting them to different exit nodes is unnecessary and slightly counterproductive. Earlier versions of this design included a mechanism to isolate _particular_ destination ports and addresses, so that traffic sent to, say, port 22 would never share a port with any traffic *not* sent to port 22. You can achieve this here by having all applications that send traffic to one of these ports use a separate SOCKSPort, and then setting IsolateDestPorts on that SOCKSPort. Future work: Nikita Borisov suggests that different session profiles -- so long as there aren't too many of them -- could well get different guard node allocations in order to prevent guard profiling. This can be done orthogonally to the rest of this proposal. Lingering questions: I suspect there are issues remaining with DNS and TransPort users, and that my "just use AutomapHostsOnResolve" suggestion may be insufficient.