Threats

OONI • Threat-Model • Roles • Use-Cases • Threats • Impacts • Disclosure

---

Contents

• Threats
  • Taxonomy
    • Bad Report Data
    • Bad Non-Report Data
    • Deanonymizing Data Correlation
    • Resource Risks

Threats

This is part of OONI's Threat-Model.

This document outlines hypothetical security risks for OONI's associated Roles. Each potential threat listed below is represented in the Impacts table.

Security vulnerabilities do not go here! They should be tracked as issue tickets or if they are sensitive, please see Disclosure.

Taxonomy

This taxonomy comes from a brainstorm of potential threats. If you realize potential threats not covered here, or you propose a more useful organization, let Nathan or Daira know.

Bad Report Data

Note: These threats involve the production or consumption of report data itself. An attacker may attempt to modify or influence report data, or they may use report data to compromise privacy.

Note: These threats are distinct from Resource Abuse in which an attacker compromises OONI-related infrastructure, or other infrastructure for general abuse.

Inaccurate Report Data - which is inaccurate or elided leading to inaccurate analyses.

• Inaccuracy due to Accident

  • Accidentally False Report Data [impact] - incorrect due to bug in any part of system - client, oonib, server, pipeline, data compression algorithm, etc.
  • Accidentally Bug-Elided Report Data [impact] - data loss due to a bug -- e.g. a bug in report file management overwrites a previous report.
  • Accidentally Operationally-Elided Report Data [impact] - data lost due to an accidental service outage, or infrastructure failure.
  • Ill-Specified Report Data [impact] - Someone misconceives available tests to detect a particular kind of network interference, but the test actually does not detect that kind of interference.

• Inaccuracy due to Malice

  • Malicious behavior from outside attackers leveraging bugs in OONI

    • Maliciously Bug-Falsified Report Data [impact] - incorrect due to a successful attack on OONI software itself -- e.g. a collector bug allows overwriting specific fields in previously collected reports.
    • Maliciously Bug-Elided Report Data [impact] - a vulnerability allows removal of report data -- e.g. the collector allows an attacker to specify report file names, so they choose a colliding name to overwrite a target report. e.g. a report aggregation acknowledgement protocol is exposed to an attacker, allowing them to cause reports to be removed from a local machine prior to copy to Data Publisher storage.

  • Malicious behavior from outside attackers leveraging operational vulnerabilities

    • Maliciously Operationally-Falsified Report Data [impact] - operational compromise leading to report modification -- e.g. DOS against a collector during a net-test run results in specific report field inaccuracies.
    • Maliciously Operationally-Elided Report Data [impact] - operational compromise leading to report loss -- e.g. DOS against a collector during a net-test run.

  • Malicious behavior from outside attackers leveraging control of non-OONI-related network infrastructure

    • Maliciously Network-Falsified Report Data [impact] - incorrect due to target networks or hosts identifying and behaving exceptionally to OONI traffic.
    • Maliciously Network-Elided Report Data [impact] - incorrect due to target networks or hosts identifying and behaving exceptionally to OONI traffic.

  • Malicious behavior from inside -- the attacker operates one or more components

    • Maliciously ooniprobe-Falsified Reports [impact] - Generated by a malicious ooniprobe Operator
    • Maliciously ooniprobe Elided Reports [impact] - A ooniprobe Operator maliciously witholds report data from a collector.
    • Maliciously Collector-Falsified Reports [impact] - Reports are maliciously modified by a oonib Operator
    • Maliciously Collector-Elided Reports [impact] - Reports are maliciously dropped or removed by a oonib Operator
    • Maliciously Publisher-Falsified Reports [impact] - Reports are maliciously modified by a Publisher
    • Maliciously Publisher-Elided Reports [impact] - Reports are maliciously dropped or removed by a Publisher
    • Maliciously Analyst-Falsified Reports [impact] - Reports are maliciously modified by an Analyst
    • Maliciously Analyst-Elided Reports [impact] - Reports are maliciously elided by an Analyst

"Toxic" Report Data - whose contents is a risk for someone, even when accurate.

• Privacy-compromising (actual and perceived)
  • ooniprobe Operator Usage Exposure [impact] - Reports exposing that a ooniprobe Operator uses ooniprobe
  • ooniprobe Operator Personal Exposure [impact] - Reports exposing personal information of the ooniprobe Operator
  • oonib Operator Usage Exposure [impact] - Reports exposing that a oonib Operator uses ooniprobe
  • oonib Operator Personal Exposure [impact] - Reports exposing personal information of the oonib Operator
  • Bystander Personal Exposure [impact] - Reports exposing personal information of arbitrary Bystanders -- e.g. a test measurement makes a request to a specific user's Facebook page and includes the result in a report.
  • Private Infrastructure Exposure [impact] - Reports exposing private infrastructure details -- e.g. a report includes traceroute output which reveals internal IP addresses near the ooniprobe Operator.
• Illegal Data [impact] - Illegal data distinct from privacy exposing data -- e.g. child pornography
• Injection-Attack Data [impact] - Data containing injection attacks -- e.g. XSS vectors which end up in published analysis websites. e.g. Terminal escape vectors which compromise oonib Operators when viewing logs. e.g. A maliciously crafted test deck compromises ooniprobe or a test helper due to parsing bugs or similar attack vectors.

Bad Non-Report Data

"Toxic" Non-Report Data - This potential data gathered "out of band" represents a risk to various roles.

Note: This is distinct from Bad Report Data. In the case of Bad Report Data, an attacker manipulates the storage/publication of the data, or they use the publicly available report data to subvert privacy assumptions. In this section, an attacker relies on non-report data such as web server logs, proxy logs, etc...

• Privacy-compromising (actual and perceived)

  • ooniprobe Operator Usage Exposure From Traffic [impact] - Network traffic exposing that a ooniprobe Operator uses ooniprobe -- e.g. An HTTP Net-Test has an identifiable signature gathered from the target web server. e.g. An SSL Net-Test has an identifiable signature gathered from passive traffic recording of a handshake.
  • ooniprobe Operator Usage Exposure From Local Forensics [impact] - A forensic examination of a ooniprobe Operator's host reveals the use and history of ooniprobe operation.
  • ooniprobe Operator Personal Exposure From Traffic [impact] - Network traffic exposing personal information of the ooniprobe Operator -- e.g. Net-Test traffic includes filesystem paths, revealing the user name.
  • oonib Operator Usage Exposure From Traffic [impact] - Network hardware may passively log connections to a test helper, collector, Directory Service, or any other relevant infrastructure, revealing that the oonib Operator runs those services.
  • oonib Operator Personal Exposure From Traffic [impact] - Network hardware may passively log connections to a test helper, leading to identification of the oonib Operator -- e.g. An http test helper includes operating system fingerprints in response headers.
  • Bystander Personal Exposure From Traffic [impact] - Network traffic exposes personal information of arbitrary Bystanders, for example, due to net test inputs supplied to a test deck. e.g. A ooniprobe Operator provides the URL for a specific Facebook user to ooniprobe, and a search over passive network logs matches that particular FaceBook account.
  • Private Infrastructure Exposure From Traffic [impact] - Network traffic exposing private infrastructure details -- e.g. an HTTP net test passes through a Bystander's transparent proxy which adds a header with its IP address.

• Injection attacks:

  • Injection Attacks Through Traffic Data [impact] - Network traffic which contains injection attacks -- e.g. an HTTP net test includes injection attacks against the less command, such that a Bystander web server operator is compromised when viewing web server logs.

Deanonymizing Data Correlation

This category represents a risk to privacy due to correlation from multiple data sources, including report and non-report data.

• ooniprobe Operator Usage Exposure From Correlation [impact] - The fact that a ooniprobe Operator ran ooniprobe can be deduced by correlating multiple data source -- e.g. Timing information in published reports and router logs are analyzed together to determine a ooniprobe Operator was running ooniprobe
• ooniprobe Operator Personal Exposure From Correlation [impact] - Personal details about a ooniprobe Operator can be deduced by correlating multiple data source -- e.g. Timing information in published reports, router logs, and video recordings from an internet cafe are analyzed together to determine the face or identity of a ooniprobe Operator.
• oonib Operator Usage Exposure From Correlation [impact] - The fact that a oonib Operator runs oonib can be deduced from multiple data sources -- e.g. The uptime of a collector's hidden service is correlated with a known outage of a oonib Operator's infrastructure to deduce they operator a collector.
• oonib Operator Personal Exposure From Correlation [impact] - Personal details about a oonib Operator can be deduced from multiple data sources -- e.g. The IP address of a test helper, reverse DNS, and whois are all queried together to determine a physical address of a oonib Operator.
• Bystander Personal Exposure From Correlation [impact] - Multiple data sources are correlated to deduce personal information about a Bystander -- e.g. Timing information from published reports along with censoring firewall policy change time correlation reduce the IP search space to a small set and all users of an ISP are investigated.
• Private Infrastructure Exposure From Correlation [impact] - Data correlation reveals details about private infrastructure -- e.g. A report includes reverse DNS lookups with associated timing information, which is correlated to DNS server logs to deduce details about the ooniprobe Operator's DNS configuration.

Resource Risks

Note: This section is about abusing resources (whether intentional or inadvertant) independent of report data or non-report data privacy issues. Threats involving report or non-report data often also involve resource abuse, so these are distinct, but non-overlapping categories of threat.

Direct Compromise

• ooniprobe Compromise via Net-Test [impact] - A vulnerability in a Net-Test allows the network or measurement target hosts to compromise the ooniprobe host.
• ooniprobe Compromise via Collector [impact] - A vulnerability in the Collector lookup mechanism, or Collector client allows a malicious lookup service (such as mlab-ns) or collector to compromise the ooniprobe host.
• oonib Compromise via Test Helper [impact] - A vulnerability in a test helper allows a remote attacker to compromise the oonib host.
• oonib Compromise via Collector [impact] - A vulnerability in the collector allows a remote attacker to compromise the oonib host.
• Directory Service Compromise via client [impact] - A vulnerability in the Directory Service allows a remote attacker to compromise the Directory Service host.

Direct Denial of Service

Note: This section excludes DOS against non-OONI infrastructure which is leveraged by OONI infrastructure. See Leveraged Attacks below.

• ooniprobe DOS [impact] - Resource usage patterns of ooniprobe allow remote attackers to incapacitate the host it runs on. e.g. An HTTP net test reads and stores an HTTP response of arbirarily large size, and a malicious web server consumes all disk on the ooniprobe host.
• Test Helper DOS [impact] - Resource usage patterns of a test helper allow remote attackers to incapacitate the host it runs on. e.g. An HTTP test helper reads and stores an HTTP request of arbirarily large size, and a malicious web server consumes all disk on the test helper host. e.g. A test helper performs reverse DNS lookups based on an incoming request, and the time or other cost of the DNS lookup is larger than the initial malicious client's request; meanwhile an unlimited number of client requests are accepted and honored.
• Collector DOS [impact] - Resource usage patterns of a collector allow remote attackers to incapacitate the host it runs on. e.g. Recording an infinitely long report fills up the disk, preventing other reporting.
• Publisher DOS [impact] - Resource usage patterns of Publisher infrastructure allow remote attackers to incapacitate that infrastructure -- e.g. Report aggregation decompresses data in reports and a malicious report contains a compression bomb, leading to DOS of space or memory in Publisher infrastructure.
• Directory Service DOS [impact] - Resource usage patterns of Directory Service allow remote attackers to incapacitate the host it runs on. e.g. Malicious clients open and hold a large number of TCP connections without making a request until the Directory Service host runs out of available sockets, preventing legitimate requests.

Leveraged Attacks

These threats involve abusing OONI infrastructure to attack other systems.

Note: This includes DOS against external services, in contrast to Direct Denial of Service above.

• ooniprobe localhost Leveraged Attack [impact] - A vulnerability in ooniprobe allows a remote attacker to attack other processes on the ooniprobe host. e.g. A user is running a service which accepts connections only from localhost, and a malicious test input causes ooniprobe to reflect an attack vector to that internal third-party service.
• ooniprobe Extra-Host Leveraged Attack [impact] - A vulnerability in ooniprobe allows a remote attacker to attack other hosts via the ooniprobe process. e.g. A malicious input causes ooniprobe to forward a remote expoit to a vulnerable third party web server.
• oonib localhost Leveraged Attack [impact] - A vulnerability in oonib allows an attacker to leverage an attack on other resources on the same virtual machine. e.g. A single VM hosts both oonib and an unrelated service, and a test helper provides a proxy service which is used to connect to the other service through localhost.
• oonib Shared Hardware Leveraged Attack [impact] - A vulnerability in an oonib VM allows compromise of a service on a separate VM on the same hardware. e.g. The virtualization on a hardware host insufficiently protects resources between VMs, and an oonib vulnerability allows a remote attacker to consume so many resources as to DOS the other VMs. e.g. The virtualization has a vulnerability allowing a compromised oonib VM to compromise other VMs or the base OS.
• oonib Extra-Host Leveraged Attack [impact] - A vulnerability in oonib allows an attacker to leverage an attack on other hosts.
• Directory Service localhost Leveraged Attack [impact] - A vulnerability in the Directory Service allows a remote attacker to compromise other processes on the same host.
• Directory Service Extra-Host Leveraged Attack [impact] - A vulnerability in the Directory Service allows a remote attacker to compromise other processes on different hosts. e.g. A network vulnerability in the Directory Service allows a remote attacker to forward traffic to another host on the same internal network. e.g. A vulnerability in the Directory Service allows an attacker to supply malicious test helper or collector addresses to ooniprobe to leverage a DOS or other attack.

Collateral Infrastructure Damage

These threats involve OONI tests denying service to, or otherwise harming, other infrastructure accidentally.

• ooniprobe Unintentional DOS [impact] - A test causes ooniprobe or a test helper to unintentionally disrupt external infrastructure. e.g. An out-of-spec HTTP request line causes a web server or proxy to crash. (See Ticket #133).