TOP SECRET COMINT REL TO USA AUS CAN GBR NZL TS SI REL Peeling Back the Layers of TOR with EGOTISTICALGIRAFFE g OverallClassi cation This brie ng is dassi ed TOP USA FVEY o o o o o U What is TOR S SI REL TheTOR Problem TS SI REL EGOTISTICALGOAT TS SI REL EGOTISTICALGIRAFFE U Future Development o U The Onion Router o U Enables anonymous internet activity D General privacy D Non-attribution Circumvention of nation state internet policies o U Hundreds of thousands of users Dissidents Iran China etc S SI REL S SI REL Other targets too U What is OCONUS INTERNET Internet Site lient Browsing The Web w TOR client Installed U What isTOR Client Browsing The Web I TOR client Installed OCONUS Internet Site TOR ENTRY TOR EXIT TOR RELAY U What isTOR o U TOR Browser Bundle Portable Firefox 10 ESR tbb-firefox exe Vidalia Polipo n TorButton TOR Idiot-proof S SI R E L Th e TO R Problem o TS SI REL Fingerprinting TOR o TS SI REL Exploiting TOR o TS SI REL Callbacks from TOR Windows XP Firefox 10 0 5 ESR o 32-bit Windows 7 o Firefox io o 64-bit Mac OS X Firefox 10 0 4 ESR o 32-bit Windows 7 o Firefox io o 32-bit Windows 7 Firefox io o Ubuntu 11 10 Firefox 10 0 7 ESR o 32-bit Windows 7 o Firefox io o 64-bit Windows 7 Firefox 10 0 10 ESR o 32-bit Windows 7 o Firefox io o TS SI REL Build ID gives a timestamp for when the Firefox release was built Year Month Day Hour Min Sec TS SI REL tbb-firefox's BuildID o TS SI REL TorButton cares a bout TOR users being indistinguishable from TOR users o TS SI REL We only care a bout TOR users versus non-TOR users o TS SI REL Thanks to TorButton it'seasy S SI R E L Th e TO R Problem t i i - i i i r i TM i Vi rn iyci pi ii im ly i ui TS SI REL Exploiting TOR TS SI REL Callbacks from TOR o T5 SI REL tbb-firefox is barebones D Flash is a no-no D NoScript addon pre-installed but not enabled by default D TOR explicitly advises against using any addons or extensions other than TorButton and NoScript o T5 SI REL Need a native Firefox exploit o T5 SI REL ERRONEOUSINGENUITY Commonly known as ERIN D First native Firefox exploit in a long time Only works against 13 0-16 0 2 o T5 SI REL EGOTISTICALGOAT Commonly known as EGGO Configured for 11 0-16 0 2 but the vulnerability also exists in 10 0 o T5 SI REL Type confusion vulnerability in E4X o T5 SI REL Enables arbitrary read write access to the process memory o T5 SI REL Remote code execution via the CTypes module o T5 SI REL Can't distinguish OS until on box n That's okay o T5 SI REL Can't distinguish Firefox version until on box D That's also okay o T5 SI REL Can't distinguish 64-bit from 32bit until on box I think you see where this is going S SI R E L Th e TO R Problem o T3 3i ' REL Fii iyci pi ii ilii iy TOR o T 5 5 i ' R EL Expiuiln iy T O R o T5 SI REL Callbacks from TOR o T5 SI REL Tests on Firefox 10 ESR worked o T5 SI REL Tests on tbb-firefox did not D Gained execution o Didn't receive FINKDIFFERENT o T5 SI REL Defeated by Prefilter Hash Requests EGGI Hash tor_exit_ip sessionjd Requests FIDI Hash target_ip sessionjd J TS SI REL Callbacks from TOR o T5 SI REL Easy fix Turn off prefilter hashing o FUNNELOUT o TS SI REL OPSEC Concerns Pre-play attacks o PSPs Adversarial Actors Targets worth it o T3 SI REL Fu ly e i pi M lin ly T O R o T5 5I REL ExpiuiLii ly T O R o TS SI REL Cdllbdckb frurnTGR                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu