Opened 3 years ago

Last modified 6 weeks ago

#16352 new task

Play with Intel's MPX for hardened Tor Browser builds

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, TorBrowserTeam201711
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Child Tickets

Change History (8)

comment:1 Changed 2 years ago by gk

Keywords: tbb-hardening added

comment:2 Changed 2 years ago by gk

Keywords: tbb-hardened added; tbb-hardening removed

comment:3 Changed 13 months ago by cypherpunks

Severity: Normal

I don't want to dissuade anyone from implementing this, but I do want to say to be careful. When MPX is not supported, the instrumentation is obviously still there, so it makes ROP slightly easier by adding more gadgets to the code.

(oops, I didn't mean to edit the severity when making this post)

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:4 Changed 8 months ago by arthuredelstein

Cc: arthuredelstein added

comment:5 Changed 4 months ago by gk

Keywords: tbb-gitian tbb-hardened removed

comment:6 Changed 2 months ago by gk

Keywords: TorBrowserTeam201711 added
Sponsor: Sponsor4

comment:7 Changed 2 months ago by gk

Priority: MediumVery High

Changing prio to reflect sponsor deadline

comment:8 Changed 6 weeks ago by arthuredelstein

Here's what I have done with MPX so far:

I have been using an MPX-supporting VPS and confirmed with a simple test program that gcc -fcheck-pointer-bounds -mmpx produces a binary that catches heap buffer overflows at runtime. Using CFLAGS and CXXFLAGS in mozconfig, and upgrading to the latest version of the gold linker, I built a big part of Firefox 52 using the same flags.

But I'm currently running into the following error, which occurs only when the -fcheck-pointer-bounds flag is present in CFLAGS:

 2:46.68 ../../../../build/unix/gold/ld: error: /home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/config/external/nspr/pr/pripv6.o: re\
quires dynamic R_X86_64_PC32 reloc against '_pr_test_ipv6_socket' which may overflow at runtime; recompile with -fPIC
 2:46.68 ../../../../build/unix/gold/ld: error: /home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/config/external/nspr/pr/pratom.o: re\
quires dynamic R_X86_64_PC32 reloc against '_PR_x86_64_AtomicAdd' which may overflow at runtime; recompile with -fPIC
 2:46.68 ../../../../build/unix/gold/ld: error: read-only segment has dynamic relocations
 2:46.68 collect2: error: ld returned 1 exit status
 2:46.68 /home/arthur/tor-browser/config/rules.mk:800: recipe for target 'libnspr4.so' failed
 2:46.68 make[5]: *** [libnspr4.so] Error 1
 2:46.68 make[5]: Leaving directory '/home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/config/external/nspr/pr'
 2:46.68 /home/arthur/tor-browser/config/recurse.mk:71: recipe for target 'config/external/nspr/pr/target' failed
 2:46.68 make[4]: *** [config/external/nspr/pr/target] Error 2

I've tried a number of things to fix this error, including adding -fPIC to CFLAGS as well as NSPR_CFLAGS, but so far nothing has succeeded. I plan to continue to try to fix this bug and any remaining errors that turn up in the build, and then it should be possible to implement a patch for tor-browser-build.git.

Note: See TracTickets for help on using tickets.