CrowdStrike/Tortilla

Why have a unique Tortilla identifier?

ioerror opened this issue · 5 comments

I looked briefly and found what looks like a fixed, non-random MAC address that is unique to Tortilla: https://github.com/CrowdStrike/Tortilla/blob/master/Tortilla/TortillaAdapter/TortillaAdapter.cpp#L49

That strikes me as a very bad idea as Tortilla users will stand out on the local network. If randomized MAC addresses are not possible, I think all zeros would be better. Fully random would be best, I guess.

Hi @ioerror,

The MAC address 7A:C0:7A:C0:7A:C0 ("TACO TACO TACO") is used as the MAC address for the Tortilla Adapter on the host system. However, this virtual adapter is only bound to the virtual machine platform's virtual network bridge; it is not bound to any other Network Clients, Network Services, or Network Protocols on the host system. As such, other computers on the user's local network shouldn't be able to detect this MAC address.

Even if they could, though, it wouldn't divulge any new information, since a user on the local network could already detect that the Tortilla host system is communicating with a Tor node.

Tortilla is not designed to conceal the fact that the user is using Tor; it's designed to conceal the identity of the user.

FYI, the slides and whitepaper have now been posted online. They may help to further explain the architecture:
https://media.blackhat.com/us-13/US-13-Geffner-Tor...-All-The-Things-Slides.pdf
https://media.blackhat.com/us-13/US-13-Geffner-Tor...-All-The-Things-WP.pdf

So the bug as I understand it of the MAC address leaking onto the real LAN is invalid.

There is a similar bug resulting from the constant MAC address. Malware running inside the VM could detect that it was running inside Tortilla by checking the MAC address of the NIC or enumerating the ARP table looking for the special gateway MAC address. I think random generation is the way to go to avoid these issues.

When I said local network, I meant it to be inclusive of applications on the system itself.

The point is not to hide Tor use - it is to ensure that Tortilla Tor users aren't distinguishable from any other fully Torified systems.

The hardcoded Tortilla Adapter MAC address (7A:C0:7A:C0:7A:C0) in the host's driver is not visible to the guest OS in the virtual machine. Instead, the MAC address seen by software running inside of the virtual machine is that of the "GatewayMacAddress", which is configurable in Tortilla.ini. If a user is concerned about malware detecting Tortilla based on MAC addresses, then the user can change "GatewayMacAddress" in Tortilla.ini and restart Tortilla.exe.

The only reason that the Tortilla Adapter on the host even has a MAC address is that it's a requirement for an NDIS adapter. It's not ever used for anything, though, so the fact that it's hardcoded shouldn't matter.

That said, it may still be possible for software running inside of the virtual machine to fingerprint Tortilla based on the network traffic visible to the guest OS (the fact that the Tortilla DHCP server and DNS server only handle a few specific types of queries, the format of the query responses, and the fact that that the guest OS will never see any incoming packets other than ARP, DHCP, DNS, and TCP).