Opened 3 years ago

Last modified 2 years ago

#20361 new task

Investigate CFI means for usage in Tor Browser

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

Chrome uses CFI for some parts in its code: https://www.chromium.org/developers/testing/control-flow-integrity and Mozilla is about to add CFI support to the build system (https://bugzilla.mozilla.org/show_bug.cgi?id=1302891). We should investigate whether we can leverage that at least in our hardened-builds as well

Child Tickets

Change History (7)

comment:1 Changed 3 years ago by gk

Description: modified (diff)
Keywords: tbb-hardened added; tbb-hardening removed

comment:2 Changed 3 years ago by gk

Description: modified (diff)

comment:3 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added

comment:4 Changed 3 years ago by gk

Arthur looked at it recently a bit (in #21711):

I tried to build tor-browser.git using -fsanitize=cfi and I ran into the following bug that was reported recently:
http://lists.llvm.org/pipermail/llvm-dev/2017-February/109861.html

Fortunately, it seems this bug has been fixed in clang 4.0. Binaries for clang 4.0.0 should be available in a few days so I will try again then.

See https://clang.llvm.org/docs/ControlFlowIntegrity.html

Last edited 3 years ago by arthuredelstein (previous) (diff)

comment:5 Changed 3 years ago by arthuredelstein

I found the site for pre-release binaries: http://www.llvm.org/pre-releases/4.0.0/
So I can potentially test before release.

comment:6 Changed 2 years ago by cypherpunks

It's important to understand that Clang CFI requires LTO support, which itself is a security issue, making latent undefined behavior exploitable. UBSan only catches a small subset of these, so the issues caused by full LTO support are not mitigated by the sanitizer. However, it can be mitigated by setting the O2 optimization for the compiler, but only O1 for the linker. This disables the unsafe LTO optimizations which the linker would otherwise use, while still being sufficient for CFI to function. Keeping the compiler at O2 will ensure that there won't be performance hits.

It would be possible to modify the compiler itself or provide it with a plugin to change the order of various passes, which would have the same effect. I believe the private PaX RAP plugin does this.

This is information I found out from multiple IRC discussions and looking into the workings of Clang CFI. If necessary, I can post the relevant logs.

comment:7 Changed 2 years ago by gk

Keywords: tbb-hardened removed

Remove tbb-hardened keyword.

Note: See TracTickets for help on using tickets.