Tor-ramdisk: a tiny embedded image to host a tor relay

I hate being watched as much as the next person. Even the NSA loves its privacy otherwise it would be a transparent organization. What’s frightening and exciting about the technology we’re building today is that we are poised on a pivot point between extremes: deep invasion of our privacy and wide scale efforts to protect it. For those of you who don’t know the Tor Project [1] you really should look into it. Encrypted communication hides what you are saying from third party eavesdropping, but it does not hide who’s doing the talking, ie. it cannot hide the identity of one of the parties and so does not preserve your anonymity. If you decide to aim your browser at https://www.google.com/ then you can remain fairly certain that no one else is watching what you are googling for: you know, and google knows. But unfortunately, so does anyone google decides to tell! Given some of the exceptionally coercive methods governments use to make their demands [3], you might as well just announce your browsing habits publicly and be done with it.

Here’s where tor steps in. It doesn’t just encrypt your traffic, but also bounces it around the world via tor relays in such a way that even the nodes themselves can’t expose the origin of the traffic. Thus, tor provides its users with pretty good anonymity [4]. Now when google looks at its logs, it won’t see your ip address, but the ip address of one of the tor exit nodes. These are themselves publicly known [5], but the original ip from where the traffic is coming remains hidden. I’ve been using tor since about 2005. In July 2007, a tor operator in Germany [6] was arrested. Luckily his computers were not confiscated, but they could have been. The police wouldn’t have gotten much off of them, but there would have been the private keys and some other “evidence.” Running tor or any system of anonymity is not illegal, and it should never be illegal as it is in some countries, but today the line between what is legal and what powers governments will abuse has been blurred if not erased entirely. 2007 was also about the time the cloud computing was catching on, so I got the idea of creating a micro Linux distribution whose only purpose was to house a tor relay in an environment that maximizes security and privacy. The image boots from an ISO into ram, any keys or configs are scp-ed in, and upon power down … poof! … nothing to see here, move along. This was also about the time that I was getting involved with hardened Gentoo development and I met up with Magnus Granberg (zorry) who was working on migrating toolchain hardening from gcc-3 to gcc-4. I was teaching a course on embedded Linux, primarily building systems with uClibc and buildroot, and so tor-ramdisk was born [7]. I originally targeted only i686, but later added amd64 and mips32r2 for router boards like the Mikrotik RB450G.

So what goes into tor-ramdisk? You can read the build scripts [8] for details, but basically the kernel is Gentoo’s hardened-sources kernel with PaX and Grsec turned on full force. A minimal userland is provided by a crippled busybox with most of its applets turned off. You need openssl for tor itself as well as openssh which provides for scp-ing keys and config files in and out of the image. Tor critically depends on the time being right, so I used openntpd for synchronization. You also need a good source of entropy for key generation and encryption, which is always a problem on embedded systems [9], so haveged is used shore up the kernel’s /dev/random. Finally we need uClibc and libevent. I cheat a little and build on uClibc virtual machines, so I can just copy over the needed libraries rather than cross compiling them. Everything is built using Gentoo’s hardened toolchains and so all the ELFs binaries have SSP, PIE + ASLR, relro, bind_now and other security goodies [10]. For i686 and amd64, kernel and userland are bundled up in a bootable ISO image, while for mips I embed the initramfs in the bootlable Linux image which can be delivered via tftp. When the system boots, the user is presented with a menu driven system on tty1 to configure and start tor. The menu is a shell script spawned by init as “tty1::respawn:/bin/setup”. On tty2, tty3 amd tty3 we have, respectively, the output of nmeter (ascii based system usage meter provided by busybox), ntpd and haveged.

I don’t know why I haven’t blogged about tor-ramdisk before on Planet Gentoo, but it is a Gentoo “derivative.” It is also popular project, at least according to freecode.com. The i686 image is the most popular, followed by the amd64, with several hundred downloads per release. I’ve stopped producing the mips32r2 image because no one was using it, even though it was the most fun to build! There have been suggestions for new features but I’ve tended to resist because I like the ~6 MB image. If you can think of something I can add without growing that image much, send patches my way!

 

 

References:

[1] https://www.torproject.org/. The Gentoo package is net-misc/tor.

[2] “fairly certain” but not 100% certain as we recently learned from CVE-2014-0160, aka the “heartbleed” bug. See https://en.wikipedia.org/wiki/Heartbleed

[3] You can read the story of lavabit’s owner as told by him at http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email

[4] There are attacks against tor so it isn’t perfect, but it is by far the best anonymity software out there. See the wiki page on tor for its weaknesses: http://en.wikipedia.org/wiki/Tor_(anonymity_network)

[5] There are various lists of exit and relay nodes. For a live list, check out http://torstatus.blutmagie.de/

[6] http://www.cnet.com/news/tor-anonymity-server-admin-arrested/

[7] The main development site is http://opensource.dyc.edu/tor-ramdisk. I announce releases at https://freecode.com/projects/tor-ramdisk.

[8] https://gitweb.torproject.org/tor-ramdisk.git

[9] See Josh Ayers’ email to the tor-ramdisk list http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-February/000119.html.

[10] You can read a little bit about these hardening techniques from the “Project Description” of a related project, Lilblue Linux: https://wiki.gentoo.org/wiki/Project:Hardened_uClibc/Lilblue

 

3 thoughts on “Tor-ramdisk: a tiny embedded image to host a tor relay

  1. js

    Hi, interesting. Ive also build lots of appliances starting with GNAP and continuing with more advanced topics.

    Could you write more about building for rb450g?

    Reply
    1. blueness Post author

      Because Mikotik is not forth coming with their source code, I’m stuck on linux-2.6.32. You can take a look at the config file here. Notice line 248: CONFIG_INITRAMFS_SOURCE=”/root/tor-mips-ramdisk/initramfs”. That’s where I put the initramfs image. So basically I build the exact same image that I do for amd64 or i686, but for mips32r2. It has all the same package versions, built with the same toolchain with the same userland hardening, but targetted for mips32r2, obviously. When I compile the kernel, I strip the vmlinux image and voila! A “firmware” image ready to be deployed by tftp. You boot the rb450g by netboot, get in via serial, and you have the same menu option that you do for amd64/i686.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>