[tor-bugs] #12418 [Applications/Tor Browser]: TBBs with UBSan create lots of errors when running
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 10 04:41:52 UTC 2017
#12418: TBBs with UBSan create lots of errors when running
----------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: assigned
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, tbb-hardened | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------+--------------------------
Comment (by cypherpunks):
Replying to [comment:11 tom]:
> Replying to [comment:10 cypherpunks]:
> > Has anyone started working on at least instrumenting individual FF
components, as suggested above?
>
> Kind of. Mozilla spend a considerable amount of person-time playing with
UBSAN.
Wow! I had no idea so much work has already been put into this task! This
will be very helpful.
> The conclusion was that some tests are valuable and should be used
(bounds, pointer-overflow, vptr although this requires RTTI).
>
> But that others (signed and unsigned overflow) caused a gratuitous
amount of false positives (largely in the graphics and layout areas but in
general all over the place) and it's infeasible to whitelist them all. We
had someone spend a month on this and using his whitelist we brought the
number of reports down from the hundred of thousands down to the mere
thousands - but even then it was with a ton of effort and had a ton of
effort to go.
Unfortunately, those are some of the most important types of UB that must
be prevented. An alternative (mutually exclusive due to incompatibilities
with internal symbol names, or something of that sort), if suitable
manpower is present, is to instrument important parts of FF with the PaX
Size Overflow plugin (see
https://forums.grsecurity.net/viewtopic.php?f=7&t=3043). It provides
better protection than UBSAN for this specific issue.
> So I think the path forward is to turn on UBSAN on the whole browser,
run it through something like the web platform tests or Mozilla's usual
unit tests, and slowly increase the number of UBSAN tests one by one. When
we hit one that causes too many false positives, we turn it back off and
investigate turning it on for an individual component (like image
decoders.)
I had assumed that the amount of UB would be so great that it would be
infeasible to do this in any reasonable amount of time. I still feel like
instrumenting individual components of the browser would be easier.
> Also I would suggest the path forward for this is in Mozilla's court,
rather than Tor's. Not that Tor has to wait for Mozilla, only that making
use of Mozilla's infrastructure will make it considerably easier. Tor devs
have access to that, and if any cypherpunks want access, I think the only
thing needed is a few contributions* that I can point to and say "This
person is doing good work, let's give them access to run their tests on
our task runner".
I tend to avoid Mozilla's ticket system due to their excessively
bureaucratic nature, and their tendency to put security as a low priority.
All my Firefox-related contributions have been made here (though
admittedly I have made more contributions for Tor itself, and relatively
few for Firefox).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12418#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list