Test+Recommend Tor Browser with MS EMET (Enhanced Mitigation Experience Toolkit)
The Enhanced Mitigation Experience Tookit is a Microsoft tool for further hardening selected applications against exploitation. We should test it with Tor Browser to see if it impacts functionality in any way, and if not, we should consider recommending it somewhere prominently for our Windows users.
Activity
I have been using EMET with Tor Browser (Firefox) for about a year. I haven't experienced any problem.
My current firefox (tor browser) configuration includes latest EMET 5.0 with the new EAF+ feature. The following is from the Popular Software.xml that comes with EMET. This code is applied on top of the default protection rules which is already defined in the xml files. I think to enter specific EAF+ modules, it must be imported from an xml file, because there isn't a place to enter the eaf modules on the GUI, only checkboxes.
<Vendor Name="Mozilla"> <Suite Name="FireFox" Arch="x86"> <App Name="Browser" Path="*\Mozilla Firefox\firefox.exe"> <Mitigation Name="EAF+" Enabled="true"> <eaf_modules>mozjs.dll;xul.dll</eaf_modules> </Mitigation> </App> <App Name="Plugin container" Path="*\Mozilla Firefox\plugin-container.exe"/> </Suite> </Vendor>Since I'm ok with using wildcards on EMET for most exes, this is the code from my edited xml which supports all firefox instances including (multiple and/or simultaneous) Tor Browsers.
<Vendor Name="Mozilla"> <Suite Name="FireFox" Arch="x86"> <App Name="Browser" Path="*\firefox.exe"> <Mitigation Name="EAF+" Enabled="true"> <eaf_modules>mozjs.dll;xul.dll</eaf_modules> </Mitigation> </App> <App Name="Plugin container" Path="*\plugin-container.exe"/> </Suite> </Vendor>You could recommend Path="\Browser\firefox.exe" if your goal is to specify only Tor Browser. Path="\Tor Browser\Browser\firefox.exe" wouldn't be useful because user could have changed the folder name.
I also have been using and never encountered a problem with *\tor.exe and *\Start Tor Browser.exe and *\obfsproxy.exe. I also added other pl. transports' exes but didn't try them, I guess it would work fine.
Is there anything else (eaf+ and asr modules) that could be added to above rules to further harden System Tor or Bundled Tor or Tor Browser?
Currently, ROP Simulate Execution Flow (SimExecFlow) does not work with Tor Browser 4.5.1, 4.5, and the last 4.0 release (4.0.8?). The last time it worked was in the 3.5 series if I remember correctly (and possibly one of the first 4.0 releases). Please note I am talking about releases, I have never tested any betas.
Turning SimExecFlow off for *\Tor Browser\Browser\firefox.exe fixes the problem. *\tor.exe and *\Tor Browser\Browser\plugin-container.exe work fine with it enabled. I have not tested *\Start Tor Browser.exe or *\obfsproxy.exe.
I run other versions of Firefox (64-bit nightly, 64-bit beta, 32-bit release, 32-bit release with DRM removed, portable firefox) and these work fine with SimExecFlow on. I have not tested any ESR, however.
I have also not tested running Tor Browser in safe mode.
All other mitigations work fine (be sure to add "mozjs.dll;xul.dll" without quotes to the EAF+ mitigation).
Replying to cypherpunks:
Currently, ROP Simulate Execution Flow (SimExecFlow) does not work with Tor Browser 4.5.1, 4.5, and the last 4.0 release (4.0.8?). The last time it worked was in the 3.5 series if I remember correctly (and possibly one of the first 4.0 releases). Please note I am talking about releases, I have never tested any betas.
Yes, this is #13893 (moved). Would you be willing to help us tracking down this problem? That would be really great. If so, the first question would be what is the first version that breaks? Older versions are at https://archive.torproject.org/tor-package-archive/torbrowser/. It seems we know that 4.0.1 and later are affected.
I use
<EMET Version="5.5.5871.31890"> <EMET_Apps> <AppConfig Path="*\Browser" Executable="firefox.exe"> <Mitigation Name="DEP" Enabled="true" /> <Mitigation Name="SEHOP" Enabled="true" /> <Mitigation Name="NullPage" Enabled="true" /> <Mitigation Name="HeapSpray" Enabled="true" /> <Mitigation Name="EAF" Enabled="true" /> <Mitigation Name="EAF+" Enabled="true"> <eaf_modules>mozjs.dll;xul.dll</eaf_modules> </Mitigation> <Mitigation Name="MandatoryASLR" Enabled="true" /> <Mitigation Name="BottomUpASLR" Enabled="true" /> <Mitigation Name="LoadLib" Enabled="true" /> <Mitigation Name="MemProt" Enabled="true" /> <Mitigation Name="Caller" Enabled="true" /> <Mitigation Name="SimExecFlow" Enabled="true" /> <Mitigation Name="StackPivot" Enabled="true" /> <Mitigation Name="ASR" Enabled="true"> <asr_modules>flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll</asr_modules> </Mitigation> </AppConfig> <AppConfig Path="*\Browser" Executable="plugin-container.exe"> <Mitigation Name="DEP" Enabled="true" /> <Mitigation Name="SEHOP" Enabled="true" /> <Mitigation Name="NullPage" Enabled="true" /> <Mitigation Name="HeapSpray" Enabled="true" /> <Mitigation Name="EAF" Enabled="true" /> <Mitigation Name="EAF+" Enabled="true" /> <Mitigation Name="MandatoryASLR" Enabled="true" /> <Mitigation Name="BottomUpASLR" Enabled="true" /> <Mitigation Name="LoadLib" Enabled="true" /> <Mitigation Name="MemProt" Enabled="true" /> <Mitigation Name="Caller" Enabled="true" /> <Mitigation Name="SimExecFlow" Enabled="true" /> <Mitigation Name="StackPivot" Enabled="true" /> <Mitigation Name="ASR" Enabled="true"> <asr_modules>flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll</asr_modules> </Mitigation> </AppConfig> <AppConfig Path="*\Tor" Executable="tor.exe"> <Mitigation Name="DEP" Enabled="true" /> <Mitigation Name="SEHOP" Enabled="true" /> <Mitigation Name="NullPage" Enabled="true" /> <Mitigation Name="HeapSpray" Enabled="true" /> <Mitigation Name="EAF" Enabled="true" /> <Mitigation Name="EAF+" Enabled="true" /> <Mitigation Name="MandatoryASLR" Enabled="true" /> <Mitigation Name="BottomUpASLR" Enabled="true" /> <Mitigation Name="LoadLib" Enabled="true" /> <Mitigation Name="MemProt" Enabled="true" /> <Mitigation Name="Caller" Enabled="true" /> <Mitigation Name="SimExecFlow" Enabled="true" /> <Mitigation Name="StackPivot" Enabled="true" /> <Mitigation Name="ASR" Enabled="false" /> </AppConfig> </EMET_Apps> </EMET>and this doesn't work for firefox :(, but works for Tor.
I lso worrying about the fact that MS EMET is a proprietary software (though its .Net part is quite analyzable)
I have been using EMET with Tor Browser for years and my main problem is that sometimes it crashes with the "Caller" mitigation, the moment the window opens where you choose the location for saving files. It usually happens when there are many tabs open, but I'm not sure if that's related to the crash. I also use MBAE
Replying to cypherpunks:
I have been using EMET with Tor Browser for years and my main problem is that sometimes it crashes with the "Caller" mitigation, the moment the window opens where you choose the location for saving files. It usually happens when there are many tabs open, but I'm not sure if that's related to the crash. I also use MBAE What OS version? What Tor Browser version (actually, 7.0a3 is relevant now, and EMET 5.52, of course)? No other security software when testing, please (because of interference).
mentioned in issue #13893 (moved)
mentioned in issue #19274 (moved)
