[tor-bugs] #21010 [Applications/Tor Browser Sandbox]: Disable RDTSC/RDTSCP to limit side-channel attacks
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Dec 17 09:03:50 UTC 2016
#21010: Disable RDTSC/RDTSCP to limit side-channel attacks
----------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: yawning
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Comment (by cypherpunks):
Unfortunately, due to Firefox's use of jemalloc3, its own ASLR is much
weaker than it should be, making it very vulnerable to local and remote
infoleaks without the use of timing attacks. I don't know if this is
something that jemalloc4 will fix, but PartitionAlloc (Chromium's malloc)
and ptmalloc3 (glibc's malloc) do not have this problem.
Am I misunderstanding the browser sandbox's threat model? If an attacker
manages to execute timestamp counter instructions, they either have full
code execution, or a successful ROP chain (with Firefox, it'd surely be
turing complete). At that point, they don't need to break Firefox's ASLR.
It doesn't matter if they discover the offsets of other process' ASLR
offsets, because the sandbox should prevent them from sending over
shellcode, right? Getting the offsets of long-running daemons for later
exploitation after compromising a second process doesn't seem like an
issue either, because an attacker could just break ASLR from there. And
kASLR is already so badly broken that protecting it by disabling TSC-
related instructions is a waste, considering an attacker would just use
`TSX` instead, as it fully defeats kASLR, 32 bit ASLR, and makes 64 bit
ASLR more feasible to brute force.
Is there a reason that timing attacks against ASLR is the primary issue in
the Tor Browser Sandbox's threat model, rather than any other number of
attacks made possible by `RDTSC` and `RDTSCP`?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21010#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list