LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Phantom: Decentralized anonymous networking

By Jake Edge
June 8, 2011

Anonymity on the internet is an interesting problem, for which several different solutions have been implemented (e.g. Tor, Freenet). Creating such a network is an interesting exercise for one thing, but using one is also highly useful to avoid various kinds of internet activity monitoring. While people in relatively free countries may find it useful to avoid their ISP and government's monitoring, activists and others living under more repressive regimes may find it to be much more than that—in some cases, it could make a life-or-death difference. Phantom is another mechanism for providing internet anonymity that has a number of interesting properties.

The Phantom protocol was introduced at DEFCON 16 in 2008 by Magnus Bråding (slides [PPT]) and is designed to provide decentralized anonymity. The idea is that there is no central weak point that can be shut down or attacked to stop the use of Phantom. It also requires end-to-end encryption, unlike Tor and others, so that there is no "exit node" problem, where a compromised or malicious participant can eavesdrop on the communication. In addition, Phantom is designed for higher performance so that large data volumes can be transferred through the network.

One of the most interesting aspects of Phantom is that it requires no changes to existing internet applications. From the perspective of a web browser or other application, it is just using standard-looking IP addresses. In reality, those addresses are Anonymous Protocol (AP) addresses that are handled by the Phantom software. One of the assumptions that Phantom makes is that IP addresses can be mapped to real-life identities (a very sensible assumption), so one of the major goals is to ensure that those cannot leak.

While the internet is used to carry all of the Phantom traffic, that traffic is virtually partitioned from the rest of the internet. Service providers that want to enable anonymous access to their services (e.g. a web server) have to register that service within the Phantom network. Obviously, that registry could be a problem from a decentralization standpoint, but Phantom uses a distributed hash table (DHT) to contain the information. Various large-scale implementations of DHTs, like Kademlia that was used by the eMule peer-to-peer system, are already in existence.

The DHT is known as the "network database" and contains two separate tables. One lists the IP addresses, ports, and properties of the currently connected nodes in the network, while the other has the AP addresses and properties of connected and registered nodes. The two tables are, obviously, not directly correlated as that would defeat the whole purpose. In order to get a "copy" of the DHT, a new node just needs to contact one existing node and join into the distributed database. Lists of valid IP addresses to connect to could come via nearly any mechanism: web sites, email, or even distributed on pieces of paper. If even one of the listed nodes is still valid, a new node can use it to join in.

A client that wants to communicate on the network must set up its own exit node. It does so by choosing a number of other nodes in the network with which to establish a routing path, the last one of which is the exit node. Unlike Tor, there isn't an established set of exit nodes as any system participating in the network can potentially be an exit node. Also unlike Tor, it is the endpoint that chooses its routing path, rather than the network making those decisions. There is a detailed description of the protocol for establishing a routing path in the Phantom design white paper [PDF]. Each step along the path is encrypted using SSL and the paper shows the details of the complicated process of creating the exit node.

Similarly, any services on the network need to create a routing path to an "entry node". In some cases, where the service itself does not require anonymity but wants to provide access for anonymous clients, the entry node may be the server itself. In any case, services register their AP-to-IP address mapping in the DHT using the IP address of the entry node. For services that do wish to remain anonymous, they will still be hidden behind the routing path from that entry node.

Furthermore, nodes create routing tunnels between themselves and their exit or entry node. These tunnels are under the control of the endpoints, not the network or any intermediary (including entry/exit) nodes. Making a connection is then a process of connecting the two routing tunnels together with the exit node of the client connecting to the entry node of the server. These tunnels are bi-directional, and encrypted in such a way that the intermediaries cannot decrypt the traffic, nor can a man-in-the-middle interfere with the communication without detection.

One of the important properties of the system is that nodes do not know whether they are talking to an endpoint or just another node in a routing path. The routing paths themselves can be arbitrarily long, and could even be chained together to provide further isolation as desired.

While the whole scheme seems fiendishly complex, it has been implemented [PDF] by Johannes Schlumberger as part of his Masters Degree work. Performance is, perhaps surprisingly, said to be reasonable: "maxing out a 100 Mb/s network connection for data transfers over multi-hop Phantom routing tunnels, so the crypto overhead does not seem to be significant at all". The code is available under the Hacktivismo Enhanced-Source Software License Agreement (HESSLA), which seems to be a GPL-inspired license with some additional "political" objectives. Based on the README, the implementation uses a tun virtual network device and may be fairly complicated to set up.

Overall, Phantom looks very interesting. Like Tor and others, though, it requires a fairly large number of participating nodes in order to truly be of use. One of the biggest barriers for Tor has been that exit nodes get blamed for the behavior of the traffic that emanates from them. Since that traffic can't be traced further back than the exit nodes (at least hopefully), any criminal or malicious traffic is associated with whoever runs the Tor node. Because services will have to specifically enable anonymous access for Phantom, that may be less of a problem. It may also make Phantom adoption less likely.

It's a bit difficult to see widespread adoption of Phantom (or any of the other anonymous network protocols), though the Electronic Frontier Foundation has been pushing Tor adoption recently. Some kind of solution is clearly needed but, so far, the logistical and legal hurdles seem to be too large for many to overcome. Unfortunately, anonymous networks may fall into the category of "things that are not set up until it's too late". But it is good to see that people are still thinking about, and working on, this problem.

Comments (18 posted)

Brief items

Security quotes of the week

The possible impact on elections using optical scan ballots is more mixed. One positive use is to detect ballot box stuffing---our methods could help identify whether someone replaced a subset of the legitimate ballots with a set of fraudulent ballots completed by herself. On the other hand, our approach could help an adversary with access to the physical ballots or scans of them to undermine ballot secrecy. Suppose an unscrupulous employer uses a bubble form employment application. That employer could test the markings against ballots from an employee's jurisdiction to locate the employee's ballot.
-- Will Clarkson reports on research showing that "bubble forms" may not provide their presumed anonymity

RSA Security Chairman Art Coviello said that the reason RSA had not disclosed the full extent of the vulnerability because doing so would have revealed to the hackers how to perform further attacks. RSA's customers might question this reasoning; the Lockheed Martin incident suggests that the RSA hackers knew what to do anyway—failing to properly disclose the true nature of the attack served only to mislead RSA's customers about the risks they faced.
-- Peter Bright in ars technica about the cracking of RSA's SecurID

Comments (none posted)

New vulnerabilities

couchdb: cross site scripting

Package(s):couchdb CVE #(s):CVE-2010-3854
Created:June 7, 2011 Updated:June 8, 2011
Description: From the CVE entry:

Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface (aka Futon) in Apache CouchDB 0.8.0 through 1.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Alerts:
Fedora FEDORA-2011-7232 2011-05-19

Comments (none posted)

drupal: multiple vulnerabilities

Package(s):drupal CVE #(s):
Created:June 3, 2011 Updated:June 8, 2011
Description: From the Fedora advisory:

Multiple vulnerabilities and weaknesses were discovered in Drupal.

.... Reflected cross site scripting vulnerability in error handler

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites.

This issue affects Drupal 6.x only.

.... Cross site scripting vulnerability in Color module

When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission.

This issue affects Drupal 6.x and 7.x.

.... Access bypass in File module

When using private files in combination with a node access module, the File module allows unrestricted access to private files.

This issue affects Drupal 7.x only.

Alerts:
Fedora FEDORA-2011-7546 2011-05-26
Fedora FEDORA-2011-7578 2011-05-26
Fedora FEDORA-2011-7588 2011-05-26
Fedora FEDORA-2011-7559 2011-05-26
Fedora FEDORA-2011-7575 2011-05-26

Comments (none posted)

fetchmail: denial of service

Package(s):fetchmail CVE #(s):CVE-2011-1947
Created:June 7, 2011 Updated:June 21, 2011
Description: From the Mandriva advisory:

fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets.

Alerts:
Fedora FEDORA-2011-8021 2011-06-08
Fedora FEDORA-2011-8059 2011-06-08
Fedora FEDORA-2011-8011 2011-06-08
Slackware SSA:2011-171-01 2011-06-21
Mandriva MDVSA-2011:107 2011-06-07

Comments (none posted)

flash-plugin: cross-site scripting

Package(s):flash-plugin CVE #(s):CVE-2011-2107
Created:June 6, 2011 Updated:June 13, 2011
Description: From the Red Hat advisory:

This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB11-13, listed in the References section.

Alerts:
Gentoo 201110-11 2011-10-13
SUSE SUSE-SU-2011:0614-1 2011-06-13
openSUSE openSUSE-SU-2011:0612-1 2011-06-08
Red Hat RHSA-2011:0850-01 2011-06-06

Comments (none posted)

java: multiple vulnerabilities

Package(s):java-1.6.0-sun java-1.6.0-openjdk CVE #(s):CVE-2011-0802 CVE-2011-0814 CVE-2011-0862 CVE-2011-0863 CVE-2011-0864 CVE-2011-0865 CVE-2011-0867 CVE-2011-0868 CVE-2011-0869 CVE-2011-0871 CVE-2011-0873
Created:June 8, 2011 Updated:September 28, 2011
Description: Java implementations suffer from a number of vulnerabilities:

  • CVE-2011-0802, CVE-2011-0814, CVE-2011-0863, CVE-2011-0873: "unspecified vulnerabilities"
  • CVE-2011-0862: integer overflows
  • CVE-2011-0864: JVM memory corruption by specific byte code
  • CVE-2011-0865: SignedObjects can be made mutable
  • CVE-2011-0867: information leak
  • CVE-2011-0868: "incorrect numeric type conversion"
  • CVE-2011-0869: unprivileged proxy settings
  • CVE-2011-0871: excessively privileged objects created
Alerts:
Debian DSA-2358-1 2011-12-05
Gentoo 201111-02 2011-11-05
Debian DSA-2311-1 2011-09-27
SUSE SUSE-SU-2011:0966-1 2011-08-30
SUSE SUSE-SA:2011:036 2011-08-29
Red Hat RHSA-2011:1159-01 2011-08-15
Mandriva MDVSA-2011:126 2011-08-15
SUSE SUSE-SU-2011:0863-2 2011-08-05
SUSE SUSE-SU-2011:0863-1 2011-08-02
Red Hat RHSA-2011:1087-01 2011-07-22
SUSE SUSE-SU-2011:0807-1 2011-07-19
SUSE SUSE-SA:2011:030 2011-07-18
Red Hat RHSA-2011:0938-01 2011-07-15
Pardus 2011-95 2011-07-11
openSUSE openSUSE-SU-2011:0706-1 2011-06-28
Scientific Linux SL-java-20110621 2011-06-21
Ubuntu USN-1154-1 2011-06-17
Fedora FEDORA-2011-8028 2011-06-08
SUSE SUSE-SA:2011:032 2011-08-04
Fedora FEDORA-2011-8020 2011-06-08
SUSE SUSE-SU-2011:0632-1 2011-06-14
SUSE openSUSE-SU-2011:0633-1 2011-06-14
CentOS CESA-2011:0857 2011-06-13
Fedora FEDORA-2011-8003 2011-06-08
Scientific Linux SL-java-20110608 2011-06-08
Scientific Linux SL-java-20110608 2011-06-08
Red Hat RHSA-2011:0860-01 2011-06-08
Red Hat RHSA-2011:0856-01 2011-06-08
Red Hat RHSA-2011:0857-01 2011-06-08

Comments (none posted)

libxml2: arbitrary code execution

Package(s):libxml2 CVE #(s):
Created:June 6, 2011 Updated:June 8, 2011
Description: From the Debian advisory:

Chris Evans discovered that libxml was vulnerable to buffer overflows, which allowed a crafted XML input file to potentially execute arbitrary code.

Alerts:
Debian DSA-2255-1 2011-06-06

Comments (none posted)

oprofile: command injection/privilege escalation

Package(s):oprofile CVE #(s):CVE-2011-1760
Created:June 6, 2011 Updated:July 26, 2011
Description: From the Debian advisory:

OProfile is a performance profiling tool which is configurable by opcontrol, its control utility. Stephane Chauveau reported several ways to inject arbitrary commands in the arguments of this utility. If a local unprivileged user is authorized by sudoers file to run opcontrol as root, this user could use the flaw to escalate his privileges.

Alerts:
Fedora FEDORA-2011-8087 2011-06-10
Fedora FEDORA-2011-8076 2011-06-10
Debian DSA-2254-2 2011-07-11
Ubuntu USN-1166-1 2011-07-11
Debian DSA-2254-1 2011-06-03

Comments (none posted)

phpMyAdmin: multiple vulnerabilities

Package(s):phpMyAdmin CVE #(s):
Created:June 6, 2011 Updated:June 15, 2011
Description:

From the phpMyAdmin advisories [1, 2]:

PMASA-2011-3: XSS vulnerability on Tracking page - It was possible to create a crafted table name that leads to XSS.

PMASA-2011-4: URL redirection to untrusted site - It was possible to redirect to an arbitrary, untrusted site, leading to a possible phishing attack.

Alerts:
Fedora FEDORA-2011-7702 2011-05-30
Fedora FEDORA-2011-7703 2011-05-30
Fedora FEDORA-2011-7684 2011-05-30

Comments (none posted)

tor: denial of service

Package(s):tor CVE #(s):
Created:June 7, 2011 Updated:June 8, 2011
Description: From the Red Hat bugzilla:

A vulnerability in Tor was reported that could allow a malicious remote attacker to cause a denial of service. This vulnerability is due to a boundary error within the policy_summarize() function in src/or/policies.c which can be exploited to crash a Tor directory authority.

Alerts:
Fedora FEDORA-2011-7972 2011-06-07

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds