[tor-bugs] #4522 [Tor Browser]: Add privilege separation for bundled browser

["Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>]

#4522: Add privilege separation for bundled browser
-------------------------+--------------------------------------------------
 Reporter:  kteel        |          Owner:  mikeperry
     Type:  enhancement  |         Status:  new      
 Priority:  normal       |      Milestone:           
Component:  Tor Browser  |        Version:           
 Keywords:               |         Parent:           
   Points:               |   Actualpoints:           
-------------------------+--------------------------------------------------
 TBB comes with Firefox which runs with full user privileges by default. A
 single vulnerability for example in its rendering or javascript code can
 be used to access private data stored on the system or to bypass Tor and
 reveal IP and location.

 Modern OSs offer security mechanisms to run 3rd party applications with
 reduced privileges:

 Windows Vista and later have Protected/Low Integrity Mode.
 OS X has seatbelt, fully usable at least since Lion.
 Linux has several mechanisms, seccomp is in the kernel and should be
 available on all recent distros, SELinux and Apparmor are more distro
 specific (Red Hat, Fedora, Ubuntu).

 Firefox upstream doesn't make use of any of them yet but that shouldn't
 stop redistributors with different security requirements...

 Firefox is also the only major browser that doesn't have a multi-process
 architecture to further limit the privileges of code that handles
 untrusted input. I don't think anything can be done about that short of
 waiting for Electrolysis making it into Aurora or switching the browser to
 something else in the meantime which is probably undesirable for many
 reasons.

 However sandboxing the firefox process could be done right now with
 relatively little difficulty. The heavy-lifting has been done already,
 Chromium has several sandbox mechanisms to cover all major platforms.

 A few links to get started:
 For Windows:
 a few icacls commands are enough for a basic configuration.
 https://wiki.mozilla.org/Mozilla_2/Protected_mode
 http://superuser.com/questions/30668/how-to-run-firefox-in-protected-
 mode-i-e-at-low-integrity-level

 For OS X:
 http://developer.apple.com/library/mac/#documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
 http://dev.chromium.org/developers/design-documents/sandbox/osx-
 sandboxing-design

 For Linux:
 http://code.google.com/p/chromium/wiki/LinuxSandboxing
 Ubuntu comes with a Firefox Apparmor profile which just needs to be
 adapted to point at the correct binary.

 For *BSD:
 jail is available across the board

 None of these are designed with the threat model of Tor in mind. Special
 focus would be needed to protect the IP address from the browser.

 Summary:
 Outdated security architecture of Firefox together with the javascript
 heavy web and modern drive by exploits make the current TBB increasingly
 susceptible to application level attacks.

 Similar levels of security and resilience against application
 vulnerabilities to the "anonymizing middlebox" (transparent proxy in
 separate computer of VM) can be achieved with privilege separation.

 Make it happen before Electrolysis comes out (is it even still on their
 roadmap?)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4522>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs