[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12418 [Applications/Tor Browser]: TBBs with UBSan create lots of errors when running



#12418: TBBs with UBSan create lots of errors when running
----------------------------------------+--------------------------
 Reporter:  gk                          |          Owner:  tbb-team
     Type:  defect                      |         Status:  assigned
 Priority:  Medium                      |      Milestone:
Component:  Applications/Tor Browser    |        Version:
 Severity:  Normal                      |     Resolution:
 Keywords:  tbb-security, tbb-hardened  |  Actual Points:
Parent ID:                              |         Points:
 Reviewer:                              |        Sponsor:
----------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [comment:11 tom]:
 > Replying to [comment:10 cypherpunks]:
 > > Has anyone started working on at least instrumenting individual FF
 components, as suggested above?
 >
 > Kind of. Mozilla spend a considerable amount of person-time playing with
 UBSAN.

 Wow! I had no idea so much work has already been put into this task! This
 will be very helpful.

 > The conclusion was that some tests are valuable and should be used
 (bounds, pointer-overflow, vptr although this requires RTTI).
 >
 > But that others (signed and unsigned overflow) caused a gratuitous
 amount of false positives (largely in the graphics and layout areas but in
 general all over the place) and it's infeasible to whitelist them all. We
 had someone spend a month on this and using his whitelist we brought the
 number of reports down from the hundred of thousands down to the mere
 thousands - but even then it was with a ton of effort and had a ton of
 effort to go.

 Unfortunately, those are some of the most important types of UB that must
 be prevented. An alternative (mutually exclusive due to incompatibilities
 with internal symbol names, or something of that sort), if suitable
 manpower is present, is to instrument important parts of FF with the PaX
 Size Overflow plugin (see
 https://forums.grsecurity.net/viewtopic.php?f=7&t=3043). It provides
 better protection than UBSAN for this specific issue.

 > So I think the path forward is to turn on UBSAN on the whole browser,
 run it through something like the web platform tests or Mozilla's usual
 unit tests, and slowly increase the number of UBSAN tests one by one. When
 we hit one that causes too many false positives, we turn it back off and
 investigate turning it on for an individual component (like image
 decoders.)

 I had assumed that the amount of UB would be so great that it would be
 infeasible to do this in any reasonable amount of time. I still feel like
 instrumenting individual components of the browser would be easier.

 > Also I would suggest the path forward for this is in Mozilla's court,
 rather than Tor's. Not that Tor has to wait for Mozilla, only that making
 use of Mozilla's infrastructure will make it considerably easier. Tor devs
 have access to that, and if any cypherpunks want access, I think the only
 thing needed is a few contributions* that I can point to and say "This
 person is doing good work, let's give them access to run their tests on
 our task runner".

 I tend to avoid Mozilla's ticket system due to their excessively
 bureaucratic nature, and their tendency to put security as a low priority.
 All my Firefox-related contributions have been made here (though
 admittedly I have made more contributions for Tor itself, and relatively
 few for Firefox).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12418#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs