[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #20814 [Applications/Tor Browser]: Pick a more accurate name for the "hardened" Tor Browser



#20814: Pick a more accurate name for the "hardened" Tor Browser
--------------------------------------+--------------------------
 Reporter:  arma                      |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 Given that ASan is only a debugging tool, and the only hardening feature
 it actually provides against intentional attacks (protection from linear
 buffer overflows, all other techniques are mitigated by selfrando and
 soon, jemalloc4's redzones) is already provided by selfrando AFAIK, I
 agree with changing the name. I think calling it hardened is disingenuous
 at best, and turns users looking for extra security into unwitting guinea
 pigs at worst.

 Arma is right that it increases the amount of ROP gadgets, although it
 doesn't affect ASLR. It's PaX which it's not compatible with, as well as
 some other hardening techniques, but I don't believe ASLR itself is
 directly affected. And of course, such an incredibly complex runtime adds
 surface area for attack which can be exploitable in some circumstances. In
 one instance, there was a bug in the entire runtime which caused the
 sanitizer to lead to a local root privesc when used to instrument setuid
 binaries. Of course, Firefox isn't setuid, so a similarly nasty
 vulnerability would "only" lead to regular code execution, not privesc,
 but that's still very bad.

 Personally, I support changing the name to "debug build", considering it's
 all experimental and the security features that are good for users would
 be eventually mainlined as arma said, so the features there include
 instrumentation for finding bugs, even at the expense of security in
 production. I don't think "developer build" is a good name, because that's
 more what the alpha is for (testing new features, etc), whereas the debug
 build is for using features which help actively find new bugs. Chromium's
 alpha build is called developer for example (canary -> developer -> beta
 -> stable, IIRC).

 Plus, there's the sandbox being developed, so it's not like people who
 were under the impression that they were getting an extra secure version
 of Firefox would suddenly be told they were using the wrong version the
 whole time. They'd have something to migrate to (which actually *does*
 supplement security, even if it's in its early development stages).

 https://labs.riseup.net/code/issues/7155#note-9 has some useful
 information on ASan and its problems.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20814#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs