[tahoe-dev] What Tahoe-LAFS Reveal to an Attacker
Kevin Reid
kpreid at switchb.org
Sun Feb 24 17:23:01 UTC 2013
On Feb 24, 2013, at 5:26, Patrick R McDonald wrote:
> All,
>
> Simon's post on a secure OS for Tahoe-LAFS got me thinking. Let's
> assume for a moment, an attacker gains root on your node. What if
> anything does the attacker gain from your Tahoe-LAFS install? Does it
> differ if this is a gateway rather than a regular node?
>
> We know the attacker can affect availability of the node, but Tahoe-LAFS
> has great protections against this. What about attacks against the
> confidentiality or integrity parts of Tahoe-LAFS?
Off the top of my head, the attacker gains the ability to:
• upload new files to the grid.
• obtain the IP addresses and nicknames of other members of the grid.
• if the attacker knows a convergence secret (possibly including the empty string) in use by some member, determine whether a known file is in the grid.
If the node is a storage server, then the attacker can:
• observe (partial) download/upload traffic from other members of the grid, including identifying specific files given a known convergence secret.
• possibly cause reversion of a mutable file's contents (including directories), if the attacker can ensure that all nodes having the current version are controlled or disabled.
If the node is a gateway, then the attacker can:
• read and modify the plaintext of all files uploaded or downloaded through that gateway. (Modification of immutable files would result in observably inconsistent results if the user later uses a different gateway.)
• collect readcaps and writecaps which can then be used to perform normal access through non-compromised gateways.
• fail to renew leases, thus eventually allowing a user's files to be actually deleted from the grid.
--
Kevin Reid <http://switchb.org/kpreid/>
More information about the tahoe-dev
mailing list