The Design and Implementation of P.O.R.T.A.L
The Personal Onion Router To Assure Liberty is designed to protect the user by isolating their computer behind a router that forces all traffic over the Tor network.
The goal of the PORTAL project is to create a compartmented network segment that can only send data to the Tor network. To accomplish this the PORTAL device itself is physically isolated and locked down to prevent malicious tampering originating from the protected network. So if the user’s computer is compromised by malware, the malware is unable to modify the Tor software or configuration, nor can it directly access the Internet (completely preventing IP address leakage). Additionally, the PORTAL is configured to fail close – if the connection to Tor drops, the user loses their Internet access. Finally, the PORTAL is “idiot proof”, simply turn it on and it works.
The Implementation, the Pain, the Horror
The initial requirement was to develop PORTAL for a small personal sized router, such as the TP-Link 703N, 3040, or M1U. All of these devices are small, portable and support the OpenWRT open source router firmware. Unfortunately, it turns out that “small” and “portable” is synonymous with “weak” and “underpowered”.
Unfortunately, Tor is quite resource intensive for an embedded device. Tor uses 16MB of RAM
and for complete functionality (requiring the GeoIP database) it occupies slightly
over 1.2MB of
squashfs space. The stock TP-LINK routers have only 4MB of flash
and 16MB of RAM (later models have increased RAM). This caused a lot of problems
when building early versions. A bare bones OpenWRT system stripped down to just
support an Internet uplink USB device occupies 3.2MB of
squashfs space. Using
the power of math we see:
3.2 + 1.2 > 4.0. Fuck.
Enter The Dragon, or Chinese Hackers to the Rescue
Fortunately, the TP-LINK routers are not just small, they are also extremely hackable. They are very popular with hackers who have modified the hardware and expanded the capabilities of the stock device. I got in contact with a Chinese hacker who has upgraded the TP-LINK 703N to 16MB of flash and 64MB of RAM. Sweet. Using these modified routers development of the PORTAL became much much easier.
PORTAL System Architecture
The PORTAL requires a minimum of two network interfaces: one for the Internet uplink, and one for the isolated network segment. In order to protect the PORTAL from tampering from malware (or malicious users), it also requires a third administration interface. This can be either a serial console, or physical connection. The reason not to use WiFi for the administration network is that that would expose the administration interface to anyone within WiFi range, including potentially the user’s compromised laptop’s WiFi card.
Three Interfaces to Rule Them All
The requirement to protect the PORTAL from a malicious user caused some problems since the device hardware has very limited interfaces. The TP-LINK 703N has only:
* 1 x USB 2.0 * 1 x 100MB ethernet * 1 x onboard wifi
All available interfaces are required to get us to the three networks we need:
* Tor: isolated proxy interface * Tor SOCKS proxy * Tor Transparent TCP proxy * Tor Transparent DNS proxy * DHCP (optional) * Admin: configuration management interface * ssh * https (optional) * DHCP (optional) * Internet: uplink connection interface * No services
After the user has configured the
Internet, and whatever other adjustments they
wish to make, they shouldn’t need to connect to the
Admin interface again. This
leaves us with a very hard target for any attacker who wishes to unmask us
(modulo any issues with Tor itself).
The PORTAL has been hardened to make it significantly more difficult for the user
to make a mistake, or for an attacker to subvert the Tor protections. From the
Tor network the only exposed ports are Tor’s DNS proxy, TCP proxy, and SOCKS.
Optionally, you can use DHCP on this network.
If, somehow, the firewall doesn’t work properly, you’re still safe because the
PORTAL doesn’t actually route packets. The only way you can reach the Internet
(regardless of which interface you’re connected to) is via Tor. This stops stupid
mistakes, such as connecting to the
Admin interface and forgetting to swap to
Tor network. Don’t worry, you can’t do that, it won’t work, you’re welcome.
Final hardening is left up to the user who will have to assign the
Tor networks to physical interfaces. There are security trade offs either way.
- pros: ease of use
- cons: pre-Tor plaintext will be broadcast over the AEther (see: Hammond)
- pros: ultra secure
- cons: if an attacker cracks your WPA2 PSK, they’ll have access to your management sshd. Of course, they’ll be so physically close to you at that point, leaking your IP is the least of your worries.
- NOTE: remove the WiFi card from your computer to block access via malware compromise
Just Do It
The PORTAL project has been migrated to the RaspberryPi, which has more power to support Tor. It requires more configuration, which is something I’ll work on, however the ease of acquisition of the RPi makes this the current platform of choice. So go install PORTAL of Pi and compartment all of your sensitive operational activities inside an isolated Tor network.