Opened 4 years ago

Closed 8 days ago

#16417 closed defect (duplicate)

DEP/ASLR missing on some Tor Browser (Pluggable Transports) binaries on Windows

Reported by: boklm Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-rbm
Cc: gk, erinn, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Some files in the TorBrowser/Tor/PluggableTransports directory are missing DEP/ASLR on Windows:

TorBrowser/Tor/PluggableTransports/_ctypes.pyd
TorBrowser/Tor/PluggableTransports/_hashlib.pyd
TorBrowser/Tor/PluggableTransports/_socket.pyd
TorBrowser/Tor/PluggableTransports/_ssl.pyd
TorBrowser/Tor/PluggableTransports/bz2.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Cipher._AES.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Hash._SHA256.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Hash._SHA512.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Random.OSRNG.winrandom.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Util._counter.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Util.strxor.pyd
TorBrowser/Tor/PluggableTransports/flashproxy-client.exe
TorBrowser/Tor/PluggableTransports/flashproxy-reg-appspot.exe
TorBrowser/Tor/PluggableTransports/flashproxy-reg-email.exe
TorBrowser/Tor/PluggableTransports/flashproxy-reg-http.exe
TorBrowser/Tor/PluggableTransports/flashproxy-reg-url.exe
TorBrowser/Tor/PluggableTransports/fte.cDFA.pyd
TorBrowser/Tor/PluggableTransports/fteproxy.exe
TorBrowser/Tor/PluggableTransports/M2Crypto.__m2crypto.pyd
TorBrowser/Tor/PluggableTransports/meek-client-torbrowser.exe
TorBrowser/Tor/PluggableTransports/meek-client.exe
TorBrowser/Tor/PluggableTransports/obfs4proxy.exe
TorBrowser/Tor/PluggableTransports/obfsproxy.exe
TorBrowser/Tor/PluggableTransports/pyexpat.pyd
TorBrowser/Tor/PluggableTransports/python27.dll
TorBrowser/Tor/PluggableTransports/select.pyd
TorBrowser/Tor/PluggableTransports/terminateprocess-buffer.exe
TorBrowser/Tor/PluggableTransports/unicodedata.pyd
TorBrowser/Tor/PluggableTransports/w9xpopen.exe
TorBrowser/Tor/PluggableTransports/zope.interface._zope_interface_coptimizations.pyd

Child Tickets

Change History (8)

comment:1 Changed 4 years ago by yawning

Anything that's Go based won't ever have either, because the upstream Go maintainers place way too much faith in their compiler and runtime to allow for such things. I think this is shortsighted and stupid (Golang binaries are also statically linked so ASLR seems somewhat less useful).

FTE/flashproxy are the only reasons why we still even bundle python/obfsproxy, we can probably remove obfsproxy.exe from the build process at this point as long fteproxy.exe still gets built correctly (or deprecate FTE).

comment:2 Changed 4 years ago by gk

Cc: gk added
Keywords: tbb-gitian added

comment:3 Changed 4 years ago by erinn

Cc: erinn added

comment:4 Changed 4 years ago by gk

Keywords: tbb-hardening added

comment:5 Changed 4 years ago by gk

Keywords: tbb-hardened added; tbb-hardening removed

comment:6 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added
Severity: Normal

comment:7 Changed 2 years ago by gk

Keywords: tbb-rbm added; tbb-gitian tbb-hardened removed

comment:8 Changed 8 days ago by gk

Resolution: duplicate
Status: newclosed

We are left with obfs4proxy.exe. Let's track the specific hardening task for that one in #31716.

Note: See TracTickets for help on using tickets.