Opened 6 years ago

Last modified 14 months ago

#4522 assigned enhancement

Add privilege separation for bundled browser

Reported by: kteel Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-sandboxing
Cc: shondoit@…, gk, unknown@…, marlowe, trams, arthuredelstein@…, intrigeri, nord-stream@… Actual Points:
Parent ID: #19750 Points:
Reviewer: Sponsor:

Description

TBB comes with Firefox which runs with full user privileges by default. A single vulnerability for example in its rendering or javascript code can be used to access private data stored on the system or to bypass Tor and reveal IP and location.

Modern OSs offer security mechanisms to run 3rd party applications with reduced privileges:

Windows Vista and later have Protected/Low Integrity Mode.
OS X has seatbelt, fully usable at least since Lion.
Linux has several mechanisms, seccomp is in the kernel and should be available on all recent distros, SELinux and Apparmor are more distro specific (Red Hat, Fedora, Ubuntu).

Firefox upstream doesn't make use of any of them yet but that shouldn't stop redistributors with different security requirements...

Firefox is also the only major browser that doesn't have a multi-process architecture to further limit the privileges of code that handles untrusted input. I don't think anything can be done about that short of waiting for Electrolysis making it into Aurora or switching the browser to something else in the meantime which is probably undesirable for many reasons.

However sandboxing the firefox process could be done right now with relatively little difficulty. The heavy-lifting has been done already, Chromium has several sandbox mechanisms to cover all major platforms.

A few links to get started:
For Windows:
a few icacls commands are enough for a basic configuration.
https://wiki.mozilla.org/Mozilla_2/Protected_mode
http://superuser.com/questions/30668/how-to-run-firefox-in-protected-mode-i-e-at-low-integrity-level

For OS X:
http://developer.apple.com/library/mac/#documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design

For Linux:
http://code.google.com/p/chromium/wiki/LinuxSandboxing
Ubuntu comes with a Firefox Apparmor profile which just needs to be adapted to point at the correct binary.

For *BSD:
jail is available across the board

None of these are designed with the threat model of Tor in mind. Special focus would be needed to protect the IP address from the browser.

Summary:
Outdated security architecture of Firefox together with the javascript heavy web and modern drive by exploits make the current TBB increasingly susceptible to application level attacks.

Similar levels of security and resilience against application vulnerabilities to the "anonymizing middlebox" (transparent proxy in separate computer of VM) can be achieved with privilege separation.

Make it happen before Electrolysis comes out (is it even still on their roadmap?)

Child Tickets

TicketTypeStatusOwnerSummary
#5791projectassignederinnGather apparmor/selinux/seatbelt profiles for each component of TBB

Change History (17)

comment:1 Changed 6 years ago by kteel

Update: Electrolysis is dead, or in coma
http://lawrencemandel.com/2011/11/15/update-on-multi-process-firefox-electrolysis-development/

I'd start looking at Chromium. If the extension architecture is lacking one could still hack on the code base and maintain a patch set?

Has there already been a discussion about that?

comment:2 Changed 6 years ago by Shondoit

Cc: shondoit@… added

comment:3 Changed 6 years ago by gk

Cc: g.koppen@… added

comment:4 Changed 6 years ago by mikeperry

Status: newneeds_information

Which OS sandboxing mechanisms can be applied without root/admin?

comment:5 Changed 6 years ago by cypherpunks

AFAIK Chromium portable exists on all 3 platforms supported by TBB and it also has sandboxing
enabled on all platforms.

Windows MIC certainly works without admin privileges, OS X Lion seatbelt most likely. Apparmor and jail certainly doesn't, SELinux: depends? most likely doesn't.

comment:7 Changed 6 years ago by unknown

Cc: unknown@… added

comment:8 Changed 6 years ago by arma

Parent ID: #5791

comment:9 Changed 6 years ago by mikeperry

Component: Firefox Patch IssuesTor bundles/installation
Parent ID: #5791
Priority: normalmajor

I think we want to parent this the other way. We need to gather the profiles the community is already using first. #5791 is then a child ticket here.

Also, this is technically a bundles issue...

comment:10 Changed 6 years ago by mikeperry

Cc: marlowe trams added
Owner: changed from mikeperry to cypherpunks
Status: needs_informationassigned

It's occurred to me that we can achieve this easily for platforms that support sandboxing by playing nicer with them in terms of using their native package formats.

For the Linuxes, I don't think we have to be *that* nice. If we host our own repo, we can get away with tossing TBB in /etc/skel and creating a login script to sync it to users' homedirs.

While we're at it, we can also have this package install the appropriate profile for the sandbox (AppArmor for Ubuntu, SELinux for Redhat-derived).

For Mac, I expect the whole "Here's a package and its sandbox, please install them" process will be much smoother in 10.8.. If they let us into the app stores, that is...

For the Linux side especially, this really is something we need community help with, I think...

comment:11 Changed 4 years ago by arthuredelstein

Cc: arthuredelstein@… added

comment:12 Changed 4 years ago by gk

Cc: gk added; g.koppen@… removed

comment:13 Changed 3 years ago by erinn

Component: Tor bundles/installationTor Browser
Keywords: triage added

comment:14 Changed 3 years ago by erinn

Keywords: needs-triage added; triage removed

comment:15 Changed 3 years ago by intrigeri

Cc: intrigeri added

comment:16 Changed 17 months ago by nord-stream

Cc: nord-stream@… added
Severity: Normal

comment:17 Changed 14 months ago by bugzilla

Keywords: tbb-sandboxing added; needs-triage removed
Owner: changed from cypherpunks to tbb-team
Parent ID: #19750
Note: See TracTickets for help on using tickets.