Feature #7155

Build the browser with Address Sanitizer or SoftBound

Added by intrigeri 2014-05-02 12:54:16 . Updated 2017-06-29 10:11:23 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2014-05-02
Due date:
% Done:

0%

Feature Branch:
Type of work:
Wait
Blueprint:

Starter:
0
Affected tool:
Browser
Deliverable for:


Subtasks


Related issues

Related to Tails - Feature #5802: Harden the web browser at compile time Resolved
Has duplicate Tails - Feature #12179: Tor Browser hardened Duplicate 2017-01-26

History

#1 Updated by BitingBird 2014-05-12 11:50:07

  • Category set to 176

#2 Updated by intrigeri 2014-06-06 06:32:20

Two Debian developers (Enrico Zini, Sylvestre Ledru) have tried backporting GCC 4.8 for Wheezy, and gave up.

The TBB folks managed to build GCC 4.9 on Lucid, but https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61408.

On June 6, 2014, GeKo writes: “I don’t get any fx >24 compiled with clang 3.5; at least not with ASan”

#3 Updated by intrigeri 2014-06-06 06:32:46

  • Subject changed from Build the browser with Address Sanitizer to Build the browser with Address Sanitizer or SoftBound

#4 Updated by intrigeri 2014-10-08 08:10:53

#5 Updated by intrigeri 2014-10-08 08:12:03

  • related to Feature #5802: Harden the web browser at compile time added

#6 Updated by intrigeri 2015-01-01 21:08:12

  • Type of work changed from Research to Wait

Now that we’re shipping Tor Browser, that’s a job for upstream.

#7 Updated by sajolida 2015-09-22 07:53:42

  • Target version deleted (Hardening_M1)

#8 Updated by intrigeri 2015-11-06 02:23:41

  • Status changed from Confirmed to In Progress

https://blog.torproject.org/blog/tor-browser-55a4-hardened-released

#9 Updated by cypherpunks 2016-11-18 11:30:26

Please do not build Tor Browser with Address Sanitizer. It is not intended for use in production, and can open up additional security holes (for example, http://www.openwall.com/lists/oss-security/2016/02/17/9, though Firefox is not setuid, so this just provides an example of ASan’s poor security record), and actually disables other extant mitigations when it is in use. Apparently, the hardened builds of Tor Browser are intended for debugging and for finding serious bugs, not for security, which seems very misleading. It’s not just not designed for security, but it does not actually stop common exploits. A writeup at https://scarybeastsecurity.blogspot.se/2014/09/using-asan-as-protection.html concludes that it only provides significant protection against simple linear buffer overflows (which Selfrando already protects against), and is fooled by all the other listed bugs.

In #tor-dev, GeKo (a Tor Browser developer) agrees that it is not meant to be used in production, and should not be used by people who do not understand the tradeoffs.

< ryonaloli> does the hardened browser still use ASan?
< ryonaloli> or has it been dropped yet?
< GeKo> ryonaloli: it's still using ASan
< ryonaloli> are there any arguments for removing it? ASan is not intended for use in production.
< GeKo> the hardened builds are a means of helping us to fin critical bugs
< GeKo> they are not necessary meant for use in production
< GeKo> which is why ASan never will appear in the stable series
< ryonaloli> GeKo: it sounds like it's misleading users then, as most people who use it are under the impression that it is a slow but secure version of tor browser.
< GeKo> that might well be so, yes

And in #grsecurity, strcat (creator of Copperhead) agrees that it is not meant for hardening and should not be used in production.

< ryonaloli> strcat: asan is not a good hardening technique in production, right?
< strcat> ryonaloli: it's not meant for hardening
< strcat> could make something similar for that purpose but it isn't that
< strcat> I thought they already dropped asan
< ryonaloli> strcat: apparently they still are using asan.
< strcat> why don't they invest some of their huge funding into making a production quality bounds checker
< ryonaloli> well i just asked them and they said it was a version of tor browser intended to help them find critical bugs.
< ryonaloli> and not intended for use in production so...
< strcat> uh they call it hardened tho
< strcat> it doesn't provide full memory safety and it's a debugging oriented tool with a complex runtime that compromises lots of other mitigations
< strcat> so you're trading off these other mitigations working for something that is incomplete and apparently quite poorly understood by people deploying it
< strcat> there are attempts to provide memory safety for C with compile-time + runtime instrumentation, ASan is not one of them
< strcat> ASan is a debugging tool, to detect/report a subset of memory corruption issues

#10 Updated by intrigeri 2017-01-27 09:38:58

#11 Updated by Anonymous 2017-06-29 10:11:23

  • Status changed from In Progress to Rejected

Looks like this is not relevant anymore, closing.