[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #23024 [Applications/Tor Browser]: Flags to increase hardening on Windows



#23024: Flags to increase hardening on Windows
-------------------------------------------+-------------------------------
 Reporter:  arthuredelstein                |          Owner:  tbb-team
     Type:  defect                         |         Status:
                                           |  needs_revision
 Priority:  Medium                         |      Milestone:
Component:  Applications/Tor Browser       |        Version:
 Severity:  Normal                         |     Resolution:
 Keywords:  TorBrowserTeam201711, tbb-rbm  |  Actual Points:
Parent ID:  #21448                         |         Points:
 Reviewer:                                 |        Sponsor:
-------------------------------------------+-------------------------------

Comment (by tom):

 Replying to [comment:13 cypherpunks]:
 > What about `--icf=all` automatically? https://github.com/llvm/llvm-
 project/blob/d0f63f83e7c5c6fc11e964f848d1496234695182/lld/MinGW/Driver.cpp#L265

 Haven't heard of it; but https://clang.llvm.org/docs/UsersManual.html says
 that the arguements needed for ICF to work (-faddrsig) are ELF only...


 > > --forceinteg - not applicablt to clang/lld
 > What do you mean? Just disabled by default: https://github.com/llvm
 /llvm-
 project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1507

 Ahhah; I was wrong. So it looks like this sets
 IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY which requires a file be signed
 before it's loaded.

 Frankly it seems kind of useless to me, an attacker who can modify the dll
 would invalidate the signature; but they could just strip the signature
 and the unset the flag. But if it cost nothing, I'd say sure, flip it: but
 I'm not sure which Tor Browser releases we Authenticode sign; which this
 would require.

 > > --no-seh - set by lld automatically ​https://reviews.llvm.org/D41252
 (but this would be good to confirm manually
 > What about `--safeseh` automatically? https://github.com/llvm/llvm-
 project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1617

 Oh good catch: on by default except for MinGW.  We should investigate why
 that is and if we can enable it.


 > > --tsaware - I'm not sure but I really hope that this is completely
 unneeded by now.
 > Because it is enabled and should be enabled by default, you mean?
 https://github.com/llvm/llvm-
 project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1513

 https://docs.microsoft.com/en-us/cpp/build/reference/tsaware-create-
 terminal-server-aware-application?view=vs-2019 "When an application is not
 Terminal Server aware (also known as a legacy application), Terminal
 Server makes certain modifications to the legacy application to make it
 work properly in a multiuser environment. For example, Terminal Server
 will create a virtual Windows folder, such that each user gets a Windows
 folder instead of getting the system's Windows directory. This gives users
 access to their own INI files. In addition, Terminal Server makes some
 adjustments to the registry for a legacy application. These modifications
 slow the loading of the legacy application on Terminal Server."

 I had hoped that all this nonsense was not needed/performed in Windows 10
 or at least the compiler set the flag automatically. The code makes it
 seem like it does not; but I can't find the flag in Firefox's code, which
 implies that it would not be setting it either...

 More investigation needed, specifically what Firefox sets and if this has
 any effect on Windows 7+

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23024#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs