Opened 4 years ago

Last modified 3 months ago

#12427 new task

Investigate Virtual Table Verification (VTV) hardening for Tor Browser on Linux and Windows

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security
Cc: tom@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

VTV (see: https://gcc.gnu.org/wiki/vtv) is a hardening feature introduced in GCC 4.9.0 which might be usable for our Tor Browser builds for Linux and Windows as we are using GCC for (cross-)compiling. We should investigate that and fix possible roadblocks.

Child Tickets

Attachments (1)

precise_vtv_crash.log (14.8 KB) - added by gk 3 years ago.
Old crash log

Download all attachments as: .zip

Change History (17)

comment:1 Changed 4 years ago by gk

Summary: Investigate Virtual Table Verification(VTV) hardening for Tor Browser on WindowsInvestigate Virtual Table Verification (VTV) hardening for Tor Browser on Windows

comment:2 Changed 3 years ago by erinn

Keywords: needs-triage added

comment:3 Changed 3 years ago by gk

Keywords: TorbrowserTeam201407 added; needs-triage removed

Moving the VTV related discussion found in #10599 to this more specific bug.

Changed 3 years ago by gk

Attachment: precise_vtv_crash.log added

Old crash log

comment:4 Changed 3 years ago by gk

Current state of the art (comment:37:ticket:10599):
"
I uploaded a working build with ASan, UBSan and VTV to ​https://people.torproject.org/~gk/testbuilds/asan/20140620/.

They are currently compiled with "-fvtable-verify=std". "-fvtable-verify=preinit" does not work with ld but using gold seems to be fine. I'll add that piece in the next iteration of these builds. In order to avoid the browser exiting on VTV errors the compiler is built with -DVTV_NO_ABORT.
"

comment:5 Changed 3 years ago by gk

Okay. I tried to debug the VTV issues with Firefox in order to get enough information to file a Mozilla bug. Here is the short story: With the invaluable help of Caroline Tice (thanks again!) I managed to get/do the following:

1) Compile a GCC 4.9.0 with the option to debug VTV issues (see: https://docs.google.com/document/d/1wN-uygC0hicLe1dyAGCvtn_tJhnwFer0Nsy56b84doY/pub). This means using something like:

make -j4 CFLAGS_FOR_TARGET="-g -O0" CXXFLAGS_FOR_TARGET="-g -O0" all

when compiling GCC.
2) Compile a Firefox with VTV support. That means atm adding

export CXXFLAGS="-fvtable-verify=std -rdynamic -Wl,-z,relro -m64 -Wl,-R,/path/to/your/debug_gcc/lib64"

to the .mozconfig file
3) Go to /dist/bin in your objdir and start gdb with

gdb firefox

NOTE: The GDB in Ubuntu Precise is buggy and won't help you (which took us quite a while to realize). Not sure which version is good, 7.7.1 worked for me at least.
4) Set a breakpoint

(gdb) b __vtv_verify_fail

Function "__vtv_verify_fail" not defined.

Make breakpoint pending on future shared library load? (y or [n]) y

Breakpoint 1 (__vtv_verify_fail) pending.

(gdb)

5) Run firefox

(gdb) run --help

6) Try to find out what's wrong and you'll get something like

(gdb) up
#1  0x00007ffff7ff1f2c in __VLTVerifyVtablePointer (
    set_handle_ptr=0x7ffff6bcd6e8 <_VTV<xpcIJSGetFactory>::__vtable_map>, 
    vtable_ptr=0x7ffff68d06d0 <vtable for nsXPTCStubBase+16>)
    at ../../../libvtv/vtv_rts.cc:1351
1351	      __vtv_verify_fail ((void **) handle_ptr, vtable_ptr);
(gdb) x/x vtable_ptr
0x7ffff68d06d0 <_ZTV14nsXPTCStubBase+16>:	0xf18eca8c
(gdb) x/x set_handle_ptr
0x7ffff6bcd6e8 <_ZN4_VTVI16xpcIJSGetFactoryE12__vtable_mapE>:	0x00000000

7) Make a backtrace which should give you something like

#0  0x00007ffff7ff0380 in __vtv_verify_fail(void**, void const*)@plt ()
   from /home/gk/asan/gcc-4.9.0debug/usr/local/lib64/libvtv.so.0
#1  0x00007ffff7ff1f2c in __VLTVerifyVtablePointer (
    set_handle_ptr=0x7ffff58c2c50 <_VTV<xpcIJSGetFactory>::__vtable_map>, 
    vtable_ptr=0x7ffff52fa890 <vtable for nsXPTCStubBase+16>)
    at ../../../libvtv/vtv_rts.cc:1351
#2  0x00007fffeea019a6 in mozJSComponentLoader::ModuleEntry::GetFactory (
    module=..., entry=...)
    at /home/gk/asan/mozilla-central/js/xpconnect/loader/mozJSComponentLoader.cpp:1440
#3  0x00007fffee101e4d in nsFactoryEntry::GetFactory (this=0x7fffe5d77340)
    at /home/gk/asan/mozilla-central/xpcom/components/nsComponentManager.cpp:1786
#4  0x00007fffee100362 in nsComponentManagerImpl::CreateInstanceByContractID (
    this=0x7ffff6e9a360, 
    aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1", aDelegate=0x0, 
    aIID=..., aResult=0x7fffffffcb20)
    at /home/gk/asan/mozilla-central/xpcom/components/nsComponentManager.cpp:1080
#5  0x00007fffee100e46 in nsComponentManagerImpl::GetServiceByContractID (
    this=0x7ffff6e9a360, 
    aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1", aIID=..., 
    result=0x7fffffffcc58)
    at /home/gk/asan/mozilla-central/xpcom/components/nsComponentManager.cpp:1440
#6  0x00007fffee1438e0 in CallGetService (
    aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1", aIID=..., 
    aResult=0x7fffffffcc58)
    at /home/gk/asan/mozilla-central/xpcom/glue/nsComponentManagerUtils.cpp:69

8) Check what vtable and class were verified after exiting gdb and you'll get something like

c++filt _ZTV14nsXPTCStubBase
vtable for nsXPTCStubBase

c++filt _ZN4_VTVI16xpcIJSGetFactoryE12__vtable_mapE
_VTV<xpcIJSGetFactory>::__vtable_map

9) Start glaring at mozJSComponentLoader.cpp and friends.

comment:7 Changed 3 years ago by gk

Description: modified (diff)
Summary: Investigate Virtual Table Verification (VTV) hardening for Tor Browser on WindowsInvestigate Virtual Table Verification (VTV) hardening for Tor Browser on Linux and Windows

comment:8 Changed 3 years ago by tom

Cc: tom@… added

comment:9 Changed 3 years ago by gk

Component: Tor bundles/installationTor Browser
Owner: changed from erinn to tbb-team

comment:10 Changed 3 years ago by gk

Keywords: TorbrowserTeam201407 removed

comment:11 Changed 3 years ago by tom

Another feature of GCC 4.9 to investigate is the 'final' optimization, and if this can be automatically applied to classes. 'final' is a security feature hiding inside an optimization: By optimizing out vtable calls you can make it harder to exploit UAFs.

More info:

Last edited 12 months ago by arthuredelstein (previous) (diff)

comment:12 Changed 2 years ago by gk

Keywords: tbb-hardening added

comment:13 Changed 2 years ago by gk

Keywords: tbb-hardened added; tbb-hardening removed

comment:14 Changed 13 months ago by cypherpunks

Priority: MediumHigh
Severity: Blocker

selfrando oil fail
vtv for real security
fix browser vectors

https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

comment:15 Changed 13 months ago by gk

Severity: BlockerMajor

comment:16 Changed 3 months ago by gk

Keywords: tbb-hardened removed

Remove tbb-hardened keyword.

Note: See TracTickets for help on using tickets.