[tor-bugs] #10065 [Tor bundles/installation]: Improve Hardening for TBB3.0

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 12 18:59:59 UTC 2014 

#10065: Improve Hardening for TBB3.0
-------------------------------------+-------------------------------------
     Reporter:  mikeperry            |      Owner:  erinn
         Type:  defect               |     Status:  accepted
     Priority:  major                |  Milestone:
    Component:  Tor                  |    Version:
  bundles/installation               |   Keywords:  tbb-3.0, gitian, tbb-
   Resolution:                       |  security
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------

Comment (by erinn):

 I have a gross monolithic branch in user/erinn/tor-browser-bundle.git
 called windows-hardening-monolithic:
 https://gitweb.torproject.org/user/erinn/tor-browser-
 bundle.git/shortlog/refs/heads/windows-hardening-monolithic

 I will break it up further before I ask for any real merging, but I wanted
 to link it here because I won't be able to get to that before Monday and
 thought people should have a chance to look it over or at least test it if
 they felt like doing so. This enables DEP/ASLR and SSP on all binaries and
 DLLs we build. I also built a new libssp and am shipping the bundle with
 that instead of the MinGW one we were using before.

 Issues:

 1. None of the PT stuff is hardened at all. Is this a blocker for getting
 it into a beta?

 2. skruffy's got two patches in here: one for binutils that creates a
 proper reloc section so we can have working ASLR, and one for gcc that
 prevents the use of /dev/urandom on Windows. nickm and zwol have reviewd
 the gcc (SSP) patch and deemed it okay, but both said someone with more
 binutils knowledge needs to check the ld patch. For reference they are
 here:

 gcc/ssp: https://gitweb.torproject.org/user/erinn/tor-browser-
 bundle.git/blob/17425dec3a13de51b717efeb8bdde1a4460d31fa:/gitian/patches
 /windows-crypto.patch

 https://gitweb.torproject.org/user/erinn/tor-browser-
 bundle.git/blob/17425dec3a13de51b717efeb8bdde1a4460d31fa:/gitian/patches
 /enable-reloc-section-ld.patch

 (And yes, I am aware they don't have descriptions in the patches. I'm
 going to fix that when I figure out good descriptions. :))

 A test bundle is here: http://lucio.erinn.org/~helix/torbrowser-
 install-3.6-beta-1_en-US.exe
 a198037a157b1f29e80d3920ad964b590e4f57b44f93fcd3a1aba98fa2915c60

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10065#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list