-
-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue H. Plaintext File Kept on Server when Whistleblower Does Not Finish Submitting Tip #828
Comments
since version 2.54.3 all temporary file and so the also requests bigger than 100k are saved on the disk encrpyted with AES with a 128bit key generated by globaleaks at startup and stored in /dev/shm. (this key survive globaleaks restarts but obviously not to machine reboots). datails on this are in https://github.com/globaleaks/GLBackend/blob/master/globaleaks/security.py#L47 where the GLSecureTemporaryFile is implemented in order to be used instead of python tempfile.py. in addition we have fixed various bug that prevented the cleaning sched to delete unffinishced submissions. does this solution comply to your recomendations? |
@evilaliv3 We will be looking at this remediation, starting this week. |
I have not had a chance to review the encryption code properly, but I have some
|
Oops, forgot to add this point:
|
hi @defuse, i answer your 4 question in order:
|
|
ok @defuse we agreed internally on 1) 2) 4) 5). related to 3) we think that for the mitigation (short term) we will keep it due to the simplicity of the solution and we are going to open a ticket for research and development of a specific solution/improval. do you think that addressing 1) 2) 4) 5) described by you the ticket would be addressed? |
Yes, I think the ticket can be closed when 1) 2) 4) 5) are fixed. I think some more review of the encryption would be helpful, though, so I'll try to do that once they are fixed. |
@defuse here comes the fix:
can this thicket be closed? @fpietrosanti / @vecna the usage of different keys in /dev/shm open the possibility for ddos based on multiple attachments and ram exaustion. i don't think this critical for the moment as probably other more powerful attacks than this can be achieved but probably it's good to open a new ticket managing at least to track the situation on te statistic system. what do you think? |
@evilaliv3 Like for the many features available in Flood-Resiliency-Protection https://github.com/globaleaks/globaleaks/issues?labels=Flood-Resiliency-Protection&milestone=&page=1&state=open we can have a new specific limitations on the "amount of new non-finalized file-upload / time" . This would still limit the amount of "files" that can be uploaded (that generate a new file). If this works, please open a ticket with tag "Flood-Resiliency-Protection" . Be sure to update the documentation in the "Application Security Design" detailing how this security feature works. |
yes this works, but a monitoring guard is anyway needed. |
@evilaliv3 Some comments:
Once issue (6) above is fixed, then this ticket can be closed. |
thank you an other time. here comes all the fixes suggested included the addition the unit test for 6) 7) |
@evilaliv3 Two things I missed:
For completeness' sake, I should also mention the following points. I don't think they are issues under the threat model and probably don't have to be fixed (but doing so would be good):
To be clear: The above two points are not problems, since to perform the attacks the attacker would already need access to the GlobaLeaks Node. I'm just noting them for completeness and future reference. |
i think you are misunderstanding the use of the write(). we are using a stream cipher and doing crypto in streaming during upload (in order to no be capped by RAM limits). the reason why we have prevented to use write after read is not for security, but just because it is not possible at all. so with the assertion we wanted to be sure that no code flow will follow this path. so correct me if i'm wrong but it's fine to keep the assertion just because we can eventually disable it after have verified that it does never verify that condition. |
@evilaliv3 You are correct. As long as no other code is writing twice, everything is good and you don't even need the assertion. But from a security design standpoint, I like things that never let the user to do dangerous things under any conditions. It makes it harder to make mistakes, especially if someone re-uses your classes in another application and doesn't really understand the problem with writing twice. It also makes auditing easier and faster, since the auditor doesn't have to check if there are multiple writes, they can just see immediately that the class doesn't allow it. |
@defuse: but multiple writes are in place here obviously. if the user is uploading "helloworld" byte-by-byte we will do: write("h"), write("e"), write("l"), that results in the cipher block chain that encrypt the stream. the problem is that if i want to encrypt a temporary file and decrypt it with the same object i can mix write and read; when O start to read I can't do a later write on the same object but not because it's insecure but because it won't work and with the assertion I want simply to spot if this unexpected code flow happens |
@evilaliv3 Sorry, you understand correctly: by 'multiple writes' I meant multiple writes to the same location in the file, like reading then writing, or like opening the file with Right now I think it's possible to open the file with Edit: fixed a grammar error |
ok :) got it. thank you for the precision. |
this can be considered closes as no plaintext is kept on the server in default configuration where temporary AES encryption is in place and files are encrypted in streaming to PGP from RAM. |
in addition all the codes has been ported from PyCrypto to cryptography. |
At https://github.com/globaleaks/GLBackend/blob/devel/globaleaks/settings.py#L274 is a misleading comment: the AES_counter_nonce is not in hex (it's used at https://github.com/globaleaks/GLBackend/blob/devel/globaleaks/security.py#L72) so the length should not be doubled. @defuse points out that the value is nevertheless correct now because the cryptography module says "Must be the same number of bytes as the block_size of the cipher with a given key." I recommend fixing the comment or at least deleting it. |
allright, i've removed the outdated comment: https://github.com/globaleaks/GLBackend/commit/42bb926ad8f6834432f222ebbe36bc58afa56fc3 |
When a whistleblower uploads a file, it is written to the hard drive in plain text. When the
whistleblower submits the Tip, the file is encrypted with the receiver's public key then the
originally-uploaded temporary file is removed. If the whistleblower uploads a file, but never follows through with submitting the tip, the file they uploaded will remain on disk indefinitely.
The text was updated successfully, but these errors were encountered: