Author: Jacob Appelbaum Date: To: The Tails public development discussion list Subject: Re: [Tails-dev] minimalist/anonymity-preserving DHCP clients [was:
Re: Reducing attack surface of kernel and tightening firewall/sysctls]
On 12/4/14, Daniel Kahn Gillmor <dkg@???> wrote: > On 12/04/2014 09:56 AM, Jacob Appelbaum wrote:
>
>> I'm currently working with a friend on a privilege separated dhcp
>> client that does not need raw sockets. It is in the early stages but
>> it is able to do the network lease without being root and without
>> having a raw socket. It is surprising that absolutely no one has done
>> this in the past. I think everyone just looked at the ISC DCHP code
>> and cargo culted from that point forward.
>>
>>>
>>> In general it might be better for security to have a derooted DHCP
>>> client that does not need CAP_NET_RAW and also has less attack surface
>>> then dhclient (C code + shell scripts).
>>
>> I completely agree. The DHCP client in Tails is a major attack vector.
>> I think that we could patch the ISC daemon, for example, to do some
>> tricks - if we didn't want an outright replacement. If anyone is
>> interested in this and would actually use some patches. I'm wary of
>> starting such a process if it will not be used. I'd rather focus on
>> writing a totally different dhcp client from scratch. My experience
>> with writing tlsdate really influences me on this with regard to
>> Tails.
>>
>>> Maybe use a small replacement
>>> client that does only support bare minimum needed to get an IP4/6 and
>>> not the whole spec (instead of trying to fix dhclient)? Anyways, some
>>> efforts for dhclient are made here [3].
>>
>> I think a simple DHCP client is quite straight forward - integration
>> with Network-Manager is probably more difficult than a simple DHCP
>> network client.
>
> I'm not sure i'd characterize a simple DHCP client as "quite straight
> forward", but certainly minimalist one is more straightforward than one
> which handles all the possible extensions that have cluttered DHCP over
> the years.
>
We've already written the start of very basic non raw socket DHCP
client - it doesn't yet include the parser and later stages but it
does fetch leases. It is completely straight forward with the basic
socket API. It is absolutely not required to use a raw socket but it
requires some trickery with the rp_filter in the kernel.
The parsers for any dhcp client are of course rather annoying and the
rest of the hooks are too. However - remember the DHCP client that
talks to the *network* does not need to do anything other than the
full DHCP lease process. Thus with the right design, a minimal or a
full client are something in another process anyway.
> I spoke recently with Christian Huitema from Microsoft about having an
> anonymity-preserving DHCP client profile -- one that leaks no additional
> information about the client beyond the current MAC address of the
> requesting device. He offered to spec out exactly what he wants MS to
> plan to do for this; If you're working on a minimalist
> anonymity-preserving client like this, it would be good to coordinate
> with them, so that your client would be indistinguishable from theirs.
>
I'd be happy to talk with them. Please do introduce me to them in some way?
> The main thrust of the profile would be to nail down things like:
>
> * list exactly which options will be emitted in each message sent by
> the client
That sounds good.
>
> * for each emitted option, specify its exact contents
Makes sense.
>
> * specify a deterministic algorithm for mapping the link layer address
> to a value suitable for the client identifier option
That seems reasonable.
>
> * specify the lease renewal behavior algorithm
It seems rather straight forward to use the time offered by the server
- what else do you think is important to consider?
>
> If you're interested, i'm happy to put you and your friend in touch with
> Christian and his team about this. Anonymity loves company!