[tahoe-dev] What Tahoe-LAFS Reveal to an Attacker

[Kevin Reid]

On Feb 24, 2013, at 5:26, Patrick R McDonald wrote:

> All,
> 
> Simon's post on a secure OS for Tahoe-LAFS got me thinking.  Let's
> assume for a moment, an attacker gains root on your node.  What if
> anything does the attacker gain from your Tahoe-LAFS install?  Does it
> differ if this is a gateway rather than a regular node?
> 
> We know the attacker can affect availability of the node, but Tahoe-LAFS
> has great protections against this.  What about attacks against the
> confidentiality or integrity parts of Tahoe-LAFS?

Off the top of my head, the attacker gains the ability to:

• upload new files to the grid.

• obtain the IP addresses and nicknames of other members of the grid.

• if the attacker knows a convergence secret (possibly including the empty string) in use by some member, determine whether a known file is in the grid.


If the node is a storage server, then the attacker can:

• observe (partial) download/upload traffic from other members of the grid, including identifying specific files given a known convergence secret.

• possibly cause reversion of a mutable file's contents (including directories), if the attacker can ensure that all nodes having the current version are controlled or disabled.


If the node is a gateway, then the attacker can:

• read and modify the plaintext of all files uploaded or downloaded through that gateway. (Modification of immutable files would result in observably inconsistent results if the user later uses a different gateway.)

• collect readcaps and writecaps which can then be used to perform normal access through non-compromised gateways.

• fail to renew leases, thus eventually allowing a user's files to be actually deleted from the grid.

-- 
Kevin Reid                                  <http://switchb.org/kpreid/>