[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] running Tor relay live with AddressSanitizer

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] running Tor relay live with AddressSanitizer
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Tue, 15 Apr 2014 20:43:04 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 15 Apr 2014 20:43:19 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=rEdY6PZlwA1ug4BJZV2KLJyqXBApn76pvrciHKau3k0=; b=F5WM87MD+kZ5Z9EEepjVkyrKVh++Jop/NuqVdsYc9DQMcXwmU8vF5IbnjSdNFNFTCp ugHP3gNWG9qmajOr2Hi3o9wh50L9SHLeYIxQ7fzkLKNxkvFvhu2IcSV+z3POpECqiMmU qVLa8mVR0HhEIGyjYhVhTALajN/O/7SnlAefiZ05N2I6b2y3O0KKx0zessIqAQtt6Tz9 WbreXnjjZcXlf4NTn1o6VAuQsmWWPxGJ7nsKdU04UxKLlcO9hE1mNebFxuH8CathlZpw Y2/EOX2YLExEBAmuEd1WRXhuCmPdy1Y6XCD6KXHIpnawOMULlzVuxS1ELIqH7ft/Hv4g IjVA==
In-reply-to: <6.2.5.6.2.20140410234905.07242e20@xxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <6.2.5.6.2.20131024180041.03a9ade8@xxxxxxxxxxxxx> <6.2.5.6.2.20131031143704.05e6a228@xxxxxxxxxxx> <6.2.5.6.2.20140408203419.08269790@xxxxxxxxxxx> <6.2.5.6.2.20140410234905.07242e20@xxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Thu, Apr 10, 2014 at 11:53 PM,  <starlight.2014q2@xxxxxxxxxxx> wrote:
> I updated the patch to
>
> 1) have AS close /proc
>
> 2) enable core dump files
>
> One should add
>
>    /proc /chroot_tor/proc none noauto,bind 0 0
>
> to /etc/fstab (note the 'noauto').
> Then the 'tor' startup script does a
>
>    mount /chroot_tor/proc
>      ...start tor
>    sleep 10
>    umount /chroot_tor/proc
>
> And it works like a charm.  'tor' starts
> up with full AddressSanitizer monitoring
> but with no pesky /proc file system
> available to potential attackers.
>
> Attached are the patch and the
>    /etc/rc.d/init.d/tor

I'm sold on integrating AddressSanitizer into Tor as a compile-time
option.  I've got a ticket for doing so #11477
(https://trac.torproject.org/projects/tor/ticket/11477).  I've
uploaded your patch there, and am looking into how to better integrate
it.  If you could make sure that the code _I_ have successfully builds
Tor with AddressSanitizer when you configure
--enable-compiler-hardening, that would rock.

(If you like sandboxes, and Linux, you might also like to try the
seccomp2 sandbox code, once Tor 0.2.5.4-alpha is out. It's present in
Tor 0.2.5.3-alpha, but it's kind of buggy.)

Also, see bug #11232
(https://trac.torproject.org/projects/tor/ticket/11232) for the stuff
I found running under AddressSanitizer and ubsan already.

best wishes,
-- 
Nick
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- Re: [tor-relays] running Tor relay live with AddressSanitizer
  - From: starlight . 2014q2
- Re: [tor-relays] running Tor relay live with AddressSanitizer
  - From: starlight . 2014q2

Prev by Author: Re: [tor-relays] A few questions about my setting up my first Tor relay.
Next by Author: Re: [tor-relays] Compiling tor-0.2.5.3-alpha on Raspberry Pi
Previous by thread: Re: [tor-relays] running Tor relay live with AddressSanitizer
Next by thread: Re: [tor-relays] running Tor relay live with AddressSanitizer
Index(es):
- Author
- Thread