[tor-dev] Mbox sandbox
Nicolas Vigier
boklm at mars-attacks.org
Mon May 26 21:05:39 UTC 2014
On Fri, 16 May 2014, isis wrote:
> Nicolas Vigier transcribed 2.6K bytes:
> >
> > - Looked at Mbox[2]: a sandboxing tool based on ptrace and seccomp/BPF.
> > This can be used in the test suite to get the list of files modified
> > by the browser after running a test, to check that it did not create
> > or modify files in unexpected places. This can also be used to log
> > all network connections, to check that everything goes through tor.
> > I was previously thinking about doing that using Docker, but now it
> > seems more simple with Mbox.
>
> Mbox is neat! It looks like it's git based, right? Or at least includes some
> sort of CVS system. Either way, great idea, testing for connections not
> matching " -> 127.0.0.1" should be easy. :)
>
> > [2]: http://pdos.csail.mit.edu/mbox/
Yes, it's nice! It's not git or CVS based. But it stores all new and
modified files in a separate directory, doing copy-on-write when opening
files with write permissions, by hijacking arguments of system calls
which access files. And after running the program, asks you which copy
of the files you want to keep (or you can manually copy the files from
the sandbox directory). It can also be used to log in a file all network
connections opened.
Initially the filesystem sandoxing part didn't work with Tor Browser
because of some bugs in Mbox, but it's now fixed so we'll be able to use
it in the TBB test suite to monitor the files modified, created and
removed by Tor Browser, and network connections made.
Yesterday I also made a patch that allows filtering which connections
can be made:
https://github.com/tsgates/mbox/commit/6dd0e49202795564e627e9eeba664fc685b14bb7
It could be used for instance to make sure a program will not connect
anywhere without using tor.
This can be done like this:
$ cat tor.profile
[fs]
direct: /
[network]
block: 0.0.0.0
allow: 127.0.0.1:9050
$ mbox -p ./tor.profile -- curl -I http://www.google.com/
curl: (6) Could not resolve host: www.google.com
$ mbox -p ./tor.profile -- curl --socks5-hostname 127.0.0.1:9050 -I http://www.google.com/
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.google.co.in/?gfe_rd=cr&ei=GoiDU-76DcSU-wbdy4HgDg
Content-Length: 261
Date: Mon, 26 May 2014 18:29:46 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic
$ mbox -o /dev/null -p ./tor.profile -- nmap localhost
Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:32 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0022s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
9050/tcp open tor-socks
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
$ nmap localhost
Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:32 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00048s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
9050/tcp open tor-socks
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
It's also possible to kill a process which does unallowed connections,
rather than just blocking those connections:
$ cat tor.profile
[fs]
direct: /
[network]
kill: 0.0.0.0
allow: 127.0.0.1:9050
$ mbox -o /dev/null -p ./tor.profile -- nmap localhost
Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:37 CEST
Stop executing pid=5298: Connect to 127.0.0.1 port 80
However, a warning if some people want to use this: it's still alpha
quality software, so probably not a good idea to use it for something
where security is important without more review.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140526/ae5990c2/attachment.sig>
More information about the tor-dev
mailing list