2017 Was a Big Year for Tor

Yes, I am aware that for over a week the Debian patches have been available which (we hope) prevent basic Meltdown attacks (and possibly some Spectre attacks), but they have *not* been available from the onion repos, at least not when I try to fetch them.

I hope other Tor users will find the following useful:

[Third attempt to post!!!]

It seems that two broad new classes of general purpose attacks, having the general nature of side-channel attacks, which potentially leak memory and destroy the isolation between kernel space and user space, called Spectre and Meltdown respectively, both based on exploiting the "speculative processing" built into almost any modern CPU, will endanger every computer user in the world, now and for decades to come. Vulnerable devices include servers, desktop PCs, laptops, smart phones, routers, and pretty much anything with a [modern] CPU made during the last few decades. Some IOT CPUs may not incorporate the "speculative execution" which is the basis for the Meltdown/Spectre attacks.

According to my understanding, Meltdown attacks in particular may have dire immediate implications for the Tor network, and I hope Tor Project will have some official comment.

Here are some links to some of the best articles I have found on Meltdown/Spectre and my own precis of the situation:

Two useful FAQs:

https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-b…
Meltdown and Spectre FAQ: Fix for Intel CPU flaws could slow down PCs and Macs

https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-com…
Spectre and Meltdown processor security flaws – explained

Overview for non-technical users:

https://www.nytimes.com/2018/01/03/business/computer-flaws.html
Researchers Discover Two Major Flaws in the World’s Computers
Cade Metz and Nicole Perlroth

When and how the flaws were found:

https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-f…
Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
The vulnerabilities behind the devastating Meltdown and Spectre attacks have existed for decades. Four groups of researchers independently found them within mere months of each other.
Andy Greenberg
7 Jan 2018

Implications for USG and other governments pushing government agencies toward cloud computing:

thehill.com
Critical computer flaws set up security challenge in Washington
Morgan Chalfant and Ali Breland

Sketchy explanations of some relevant technical details:

https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-f…
A Critical Intel Flaw Breaks Basic Security for Most Computers
Joan Cros

arstechnica.com
“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
Immediate concern is for Intel chips, but everyone is at risk.
Peter Bright

My takeaway (please correct me if I got anything wrong!):

o Debian has patched its version of Linux kernel to prevent (we hope) basic Meltdown attacks, and last year introduced changes which may hinder some Spectre attacks, and Tails 3.4 (just released) incorporates these critical security patches,

o Firmware updates and other OS patches may also help prevent basic Meltdown attacks,

o Meltdown attacks pose a more urgent threat than Spectre attacks in the short term and appear to affect any device using any Intel CPU made in recent decades, but Spectre attacks may prove more dangerous in the months, years, and decades to come,

o Meltdown attacks can potentially enable a remote attacker abusing a javascript exploit (for example) to destroy the isolation of kernel memory on a running computer (using Tor Browser say), and possibly run malicious code,

o Meltdown attacks can nullify the benefits of kernel memory address randomization,

o OS patches and firmware updates which mitigate the dangers from currently known Meltdown attacks could significantly degrade performance of processes which must often switch between kernel space and user space memory, such as cryptography and network operations (both absolutely essential to Tor); ordinary non-Tor browsing may see less of a performance impact from Meltdown mitigations,

o Spectre attacks are even more general and affect essentially any server, laptop, PC, smart phone, and even some IoT devices (not sure about Raspberry Pi), and amount to general purpose memory leaks which potentially allow user processes to obtain security critical information from other processes, including processes running with root privileges, including information such as cryptographic keys which must be stored somewhere in the RAM of a running computer,

o Spectre attacks appear to be harder to develop but no-one can yet conceive any OS patches or firmware updates which will surely prevent these; the only real fix is a complete redesign of modern processors; it appears possible to hope that in coming months and years patches for individual applications may lessen the danger from particular Spectre attacks, but it will be years or decades before most users are truly immune,

o To mitigate Spectre attacks a tricky case by case analysis of every item of user software will be needed; developers will need to find just the right place to insert tricky commands intended to make it more difficult to mount a Spectre attack,

o Meltdown and Spectre attacks are particularly dangerous because they appear to share a key advantage for attackers of successful cryptanalysis of a "high security" "trusted" cryptosystem: traditional forensic analysis will find no trace of successful Meltdown or Spectre attacks,

o Meltdown is perfectly suited for sophisticated attackers who may wish to illicitly and undetectably steal information from (for example) CIA containers in the Amazon cloud, but while Amazon claims to have already patched almost all of its cloud servers, performance hits of up to 30% will cost them, and in order to mitigate against Spectre, Amazon will need to replace its entire server inventory, once immunized CPUs become available--- which could be years in the future,

o It is difficult to find any positive aspect in any of this, but some researchers hope that ultimately these developments may force hardware engineers to take security more seriously in early design work, and ultimately moving to cloud computing could be helpful if chip makers can respond quickly enough by rolling out immunized designs, provided that cloud providers actually replace flawed hardware (which would apparently require replacing all their servers once new designs become available),

o Looking a decade or more into the future, perhaps quantum computing may eventually be able to detect illicit reads of quantum cryptographic keys, or even to prevent these attacks?

A few notable quotes from the above cited articles:

o [The Hill] Still, research shows that exploiting the vulnerabilities themselves leave virtually no clues, which Ackerman called “haunting.” “There would be nothing or little to nothing for me to say this bad guy took data,” said Ackerman, a former FBI forensics examiner who worked on cybercrime cases.

o [NYT] the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.

o [Wired] Ben Gras, a security researcher with Vrije Universiteit Amsterdam who specializes in chip-level hardware security, says that the attacks represent a deep and serious security breach. "With these glitches, if there's any way an attacker can execute code on a machine, it can’t be contained anymore," he says. (Gras was clear that he hadn't participated in any research that unearthed or reproduced the vulnerability, but he has watched the revelations of Intel's vulnerability unfold in the security community.) "For any process that’s untrusted and isolated, that safety is gone now," Gras adds. "Every process can spy on every other process and access secrets in the operating system kernel."

o [Wired] [Meltdown attacks] allow malicious code to not only locate the kernel in memory [defeating Kernel Address Space Layout Randomization], but steal that memory's contents, too. "Out of the two things that were speculated, this is the worst outcome," Bosman says.

o [Arstechnica] For systems with Intel chips, the impact [of Meltdown attacks] is quite severe, as potentially any kernel memory can be read by user programs.

o [The Guardian] Meltdown is “probably one of the worst CPU bugs ever found” according to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. It is very serious in the short term and needs immediate attention. The problem with Meltdown is that anything that runs as an application could in theory steal your data, including simple things such as javascript from a web page viewed in a browser.

o [The Guardian] Due to the separation of the application and kernel memory required by the various operating systems to prevent the [Meltdown] flaw being used to access protected data... tasks that constantly require the kernel do to things, such as writing files to disk or sending data over a network, could be significantly slower due to the increased time it will take for the processor to switch between the application memory and the kernel memory... browsing and general computing activities are unlikely to be affected, but those that involve lots of writing files may become slower.

o [PC World] There may be no hardware solution to Spectre, which “tricks other applications into accessing arbitrary locations in their memory.” Software needs to be hardened to guard against it.

o [Arstechnica] Spectre attacks can be used both to leak information from the kernel to user programs, but also from virtualization hypervisors to guest systems. Sensitive pieces of code could be amended to include "serializing instructions"—instructions that force the processor to wait for all outstanding memory reads and writes to finish (and hence prevent any speculation based on those reads and writes)—that prevent most kinds of speculation from occurring. ARM has introduced just such an instruction in response to Spectre, and x86 processors from Intel and AMD already have several. But these instructions would have to be very carefully placed, with no easy way of identifying the correct placement.

o [Arstechnica] The most vulnerable users are probably cloud service providers; Meltdown and Spectre can both in principle be used to further attacks against hypervisors, making it easier for malicious users to break out of their virtual machines.

o [The Hill] Many [US] government agencies are in the process of moving data from legacy systems to cloud-based systems, something Stuntz and other experts say shifts the financial risk away from the government to tech companies and would save money long term.

o [The Hill] “Meltdown” can be mitigated by software patches. Microsoft and Google have already issued emergency patches for their systems, though experts say the patches could degrade the performance of devices by 20 to 30 percent when applied. “This is a very large and urgent project for federal IT staff to complete within short timelines,” said Paul Kocher, Senior Technology Adviser at Rambus and one of the researchers who discovered the vulnerabilities. Fully mitigating Spectre is more daunting, with experts saying it may ultimately warrant a redesign of the hardware. “As a longer-term outcome, computing devices need to be engineered differently for security vs. performance,” Kocher said. “Government may play a significant role in this as well, both by supporting continued security research as well as setting procurement requirements.” Government organizations may have to entirely replace systems in the future, a pricey task that may not fit into some agencies budgets. “We’re talking about an average, $1,000 per computer versus a free software patch,” said Devin Ackerman, senior director of the cybersecurity and investigations practice at risk mitigation firm Kroll. “Basically, I am replacing the entire computer with something that is a newer generation, something that is no longer susceptible to this exploit at a hardware level.”

o [The Hill] The vulnerabilities could allow hackers to pilfer sensitive data from virtually all modern computing devices, ranging from computers to smartphones to cloud infrastructure. Experts believe that they may be the most dangerous computer processor flaws to date. The Department of Homeland Security issued guidance on the matter late Wednesday, noting that while operating system updates could help mitigate the issues, the only true solution would be to replace computer processing units' hardware. This means that mitigating the flaws will likely cost federal, state and local governments a significant amount of time, money and effort.

o [The Hill] “If exploit code is developed, this could be catastrophic for [governments]. Another downside is that governments don’t typically update their technology very quickly which means that their processors may already have challenges keeping up with requirements from the latest operating systems and bloated applications,” said Cole. “Add to that mix a vendor patch that's expected to slow down a system as much as thirty percent and you could have a number of challenges for governments that do implement the patch quickly with crashing computers or systems that run too slow to accomplish their tasks,” Cole continued.

o [PC World] Google [Project Zero] says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, though AMD says its hardware has “near zero” risk because of the way its chip architecture is designed.

o [PC World] While Intel may address the fundamental hardware problem in future chips, the fix for PCs in the wild needs to come from the operating system manufacturer, as a microcode update alone won’t be able to properly repair it.

o [Wired] Linux developers have already released a [patch mitigating against Meltdown attacks], apparently based on a paper recommending deep changes to operating systems known as KAISER, released earlier this year by researchers at the Graz University of Technology.

Official comments from Tor Project on how Meltdown and Spectre attacks may impact the Tor network, and the anonymity/cybersecurity/privacy of individual users of Tor products such as Tor Browser, would be very welcome.

AFAIR, there was an old discussion of this topic in tor relays TP mailing list. Maybe even there is a ticket. Brief outcome: it doesn't look like a botnet.

Actually, if test is positive you are SURE vulnerable to Spectre. If the test is negative you are MAYBE not vulnerable to Spectre.
This test was negative in each and every unpatched browser that I tried, and yet another test on spectre was positive.

But all the current proof of concepts use Javascript so if you disable javascript you're good anyway.

link is broken all i get is chinese

Thanks for your reply (although I still desire comment from Debian or Tor Project employees).

I did try to post a comment with more detailed information but it never appeared.

> I see patches appearing in the onion mirrors.

But do you have a Debian stable 64 bit system and did you try to actually upgrade your kernel and other modified packages using the onion mirrors? I understand that you appeared to use Tor Browser (?) to check that the upgrades *should* be available, which is interesting, but has anyone been able to actually install any package upgrades released after 1 Jan 2018 from the onion mirrors?

One of the questions I have been trying to get TP to answer is this: the original post by Peter Palfrader announcing the onion mirrors, and the onions page at Debian, offer three specific lines to be added to sources.list. But
o these sources.list lines refer to "jessie" not "stretch".
o these sources.list lines only mention "main" but after users protested "contrib" and "non-free" were added.
Unfortunately, after the rollover from jessie to stretch neither TP nor DP posted new instructions. So I tried to modify the suggested lines last year "in the obvious way" (e.g. changing "jessie" to "stretch") and the modified lines appeared to be working fine until 1 Jan 2018. If I had not made these changes, of course Synaptic would not have been able to fetch upgrades to Debian stable after the rollover from jessie to stretch. I did make the changes and until 1 Jan 2018 was able to obtain all package upgrades from the onion mirrors.

> don't assume that just because something (appears to be) broken for you that it's broken for everyone.

I didn't. One reason why I am asking whether others who use Debian stable and have been updating their systems using the onion mirrors for some time noticed the updates no longer work since 1 Jan 2018.

> Start with at least: what architecture + version of debian

I am writing this while using Tails 3.4 (which *does* incorporate the patches I have not been able to obtain for my own Debian system yet) booted from a live DVD, so the easiest way for me to answer this is:

64 bit Debian stable for a laptop with an Intel chip.

I did check my /proc/version while running the flawed Debian (offline) and I definitely am still running the last kernel released *before* 1 Jan 2018, which is *not* immunized (we hope) against Meltdown. I also see +u3 instead of +u4 (or something like that), again showing that I have not been able to obtain the patched kernel. Of course, I would have known if I were trying to install a new kernel because it takes time to fetch and requires my intervention (calling Synaptic).

> and which packages you are expecting to see updates for...

*All* upgrades (security patches and any others) issued by Debian since 1 Jan 2018. I see a number including the critical kernel patches listed in the security.announce list, which I can access via Tails. Not all of these apply to my Debian system, but a half dozen do, and I have not been able to install any of them as I was prior to 1 Jan 2018.

> I assume you've already checked that internet (and tor) are working properly on your system?

They appear to be. I think the fact that updating from the onion mirrors worked fine (was able to obtain all package upgrades using synaptic) until 1 Jan 2018 and has not worked (am not able to install more recent package upgrades using synaptic) suggests that something has gone wrong. As you noted above, a key question is whether something has gone wrong for everyone or just for me.

In order to test this, I think others need to report whether upgrading their Debian stable packages from the onion mirrors is still working for them (i.e. that they able to install normally patches more recent than 1 Jan 2018).