[tbb-bugs] #23024 [Applications/Tor Browser]: Flags to increase hardening on Windows
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 16 16:38:54 UTC 2019
#23024: Flags to increase hardening on Windows
-------------------------------------------+-------------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201711, tbb-rbm | Actual Points:
Parent ID: #21448 | Points:
Reviewer: | Sponsor:
-------------------------------------------+-------------------------------
Comment (by tom):
Replying to [comment:13 cypherpunks]:
> What about `--icf=all` automatically? https://github.com/llvm/llvm-
project/blob/d0f63f83e7c5c6fc11e964f848d1496234695182/lld/MinGW/Driver.cpp#L265
Haven't heard of it; but https://clang.llvm.org/docs/UsersManual.html says
that the arguements needed for ICF to work (-faddrsig) are ELF only...
> > --forceinteg - not applicablt to clang/lld
> What do you mean? Just disabled by default: https://github.com/llvm
/llvm-
project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1507
Ahhah; I was wrong. So it looks like this sets
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY which requires a file be signed
before it's loaded.
Frankly it seems kind of useless to me, an attacker who can modify the dll
would invalidate the signature; but they could just strip the signature
and the unset the flag. But if it cost nothing, I'd say sure, flip it: but
I'm not sure which Tor Browser releases we Authenticode sign; which this
would require.
> > --no-seh - set by lld automatically https://reviews.llvm.org/D41252
(but this would be good to confirm manually
> What about `--safeseh` automatically? https://github.com/llvm/llvm-
project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1617
Oh good catch: on by default except for MinGW. We should investigate why
that is and if we can enable it.
> > --tsaware - I'm not sure but I really hope that this is completely
unneeded by now.
> Because it is enabled and should be enabled by default, you mean?
https://github.com/llvm/llvm-
project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1513
https://docs.microsoft.com/en-us/cpp/build/reference/tsaware-create-
terminal-server-aware-application?view=vs-2019 "When an application is not
Terminal Server aware (also known as a legacy application), Terminal
Server makes certain modifications to the legacy application to make it
work properly in a multiuser environment. For example, Terminal Server
will create a virtual Windows folder, such that each user gets a Windows
folder instead of getting the system's Windows directory. This gives users
access to their own INI files. In addition, Terminal Server makes some
adjustments to the registry for a legacy application. These modifications
slow the loading of the legacy application on Terminal Server."
I had hoped that all this nonsense was not needed/performed in Windows 10
or at least the compiler set the flag automatically. The code makes it
seem like it does not; but I can't find the flag in Firefox's code, which
implies that it would not be setting it either...
More investigation needed, specifically what Firefox sets and if this has
any effect on Windows 7+
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23024#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list