Opened 14 months ago

Last modified 14 months ago

#28147 new defect

[meta] Improve Tor Browser Content Process Sandbox

Reported by: tom Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: #28146 Points:
Reviewer: Sponsor:

Description

This ticket is specifically for tightening the content process sandbox.

An attacker who achieves code execution inside the content process sandbox should not be able to achieve the most valuable goals (proxy bypass/persistent user identifier) inside the content process and should instead need a sandbox escape.

Child Tickets

TicketStatusOwnerSummaryComponent
#28148newtbb-teamLimit or Restrict PTCPSocket and PUDPSocket IPC mechanismsApplications/Tor Browser
#28149newtbb-teamLimit or Restrict GetAndroidSystemInfoApplications/Tor Browser
#28374newtbb-teamensure RequestStorageId cannot be accessed remotelyApplications/Tor Browser

Change History (2)

comment:1 Changed 14 months ago by gk

Are there corresponding Mozilla bugs somewhere because it seems to me that this sandbox tightening is something (privacy-conscious) Firefox users (with proxy) would maybe want to have as well? E.g. should there be no way to steal Android device information that way from within the content process regardless of whether Tor is used or not.

comment:2 in reply to:  1 Changed 14 months ago by tom

Replying to gk:

Are there corresponding Mozilla bugs somewhere because it seems to me that this sandbox tightening is something (privacy-conscious) Firefox users (with proxy) would maybe want to have as well? E.g. should there be no way to steal Android device information that way from within the content process regardless of whether Tor is used or not.

Generally, no. So far all of the things I've listed here are things we've made to support some feature of another. It's possible (but unlikely) that they could be dead code that we could remove, but AFAIK there are no corresponding Mozilla bugs to do what Tor wants, because it's going to conflict with what Mozilla wants.

My suggestion would be that as each sub-item is investigated, we see what the use of the item is in Firefox, and determine if there is a way to tighten the IPC layer in Firefox either generally or under certain (existing) preferences. (With a fallback to some new preference or preferences.) That would be the easiest way to upstream the behavior Tor wants.

Note: See TracTickets for help on using tickets.