Opened 7 years ago

Closed 12 months ago

#7008 closed project (wontfix)

Make it safe to run Flash in TBB

Reported by: arma Owned by: mikeperry
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: SponsorJ, apparmor
Cc: trams, runa Actual Points:
Parent ID: #7680 Points:
Reviewer: Sponsor:

Description (last modified by arma)

Here's what we wrote:
"The Tor Project will design a sandbox to allow Tor Browser Bundle users to safely use Adobe Flash plugins, or compatible technology, with a majority of web sites on the Internet. We will work with experts in the field of sandbox technology to develop a solution for Microsoft Windows, Apple OS X, and Linux operating systems. This implementation will be integrated into the alpha-release branch of the Tor Browser Bundle packages."

Originally we'd been planning to have trams lead this project, but it's been a year or more since we originally proposed it so we should try to rope him back in. I'm assigning to Mike to start with, since we need his help deciding what direction to take. We have basically a full-time person of funding to devote here, so let's do it right.

Child Tickets

TicketStatusOwnerSummaryComponent
#3974closedtbb-teamDisable flash's "allow cookies" pref somehowApplications/Tor Browser
#4335closedtbb-teamPer-urlbar domain plugin controlApplications/Tor Browser
#5531closedtbb-teamLocal config file for Flash PlayerApplications/Tor Browser
#6210closedmikeperryset plugin.expose_full_path to falseTorBrowserButton
#7470closedtbb-teamMake it possible to run Flash in TBBApplications/Tor Browser
#10885closedtbb-teamConfusing/Conflicting Info Provided About Flash in Tor Browser, Usability IssueApplications/Tor Browser

Attachments (1)

flash.sb (7.4 KB) - added by trams 7 years ago.
example policy for flash.

Download all attachments as: .zip

Change History (17)

comment:1 Changed 7 years ago by trams

Flash runs outside the main firefox browser, in the plugin-container process. This is good from a sandboxing pov, as it makes it easier to enforce a sandbox that only affects Flash, or to create different sandboxes making it harder for flash to compromise the browser.

Note that flash is already sandboxed on windows/ff; see https://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html

Flash sandboxes was also under scrutiny during blackhat, where a presentation on the subject was held:

http://media.blackhat.com/bh-us-12/Briefings/Sabanal/BH_US_12_Sabanal_Digging_Deep_Slides.pdf


For OSX: quite tricky. We need to create a wrapper ( that is a proxy for mach-ipc: org.mozilla.machname.*) or fork the plugin-container process to do a sandbox_init function call. Developing the sandbox profile from there is straight forward, and quite easy.

For Linux: Either fork plugin-container and do seccomp + friends, or use selinux/apparmor to constrain the process, or do both.

comment:2 Changed 7 years ago by phobos

to be clear, the deliverable isn't for sandbox, it's for safe use of flash. We could use a virtual machine which only runs tbb with flash if possible.

comment:3 Changed 7 years ago by arma

Summary: Have a sandbox in TBB that can run Flash safelyMake it safe to run Flash in TBB

comment:4 Changed 7 years ago by arma

(for reference, old ticket for this was #5616)

comment:5 Changed 7 years ago by trams

Patched plugin-container to run in sandboxed mode on osx, but saying that running flash in a separate sandbox would make it Safe is a very strong claim, considering the following:

1) We don't really know (atm) what is allowed to do trough the browser<-> plugin-container ipc channel
2) Flash leaves lots of open attack vectors, and some privacy concerns. interestingly enough, flash does not seem to require network access, at least not from my youtube testing. When we say safe, do we mean "safe from exploits" or safe from flash leaking data?

The most troubling access that needs to be granted to flash are the following:

(allow iokit-open

(iokit-user-client-class "AGPMClient")
(iokit-user-client-class "AppleGraphicsControlClient")
(iokit-user-client-class "Gen7DVDContext")
(iokit-user-client-class "Gen7Device")
(iokit-user-client-class "Gen7GLContext")
(iokit-user-client-class "IOAudioControlUserClient")
(iokit-user-client-class "IOAudioEngineUserClient")
(iokit-user-client-class "IOHIDParamUserClient")
(iokit-user-client-class "IOSurfaceRootUserClient")
(iokit-user-client-class "RootDomainUserClient")
(iokit-user-client-class "nvDevice")
(iokit-user-client-class "nvFermiGLContext"))

(allow ipc-posix-shm-read-data

(ipc-posix-name "/tmp/com.apple.csseed.27")
(ipc-posix-name "AudioIO26B")
(ipc-posix-name "CFPBS:7F:")
(ipc-posix-name "apple.shm.cfprefsd.501")
(ipc-posix-name "apple.shm.cfprefsd.daemon")
(ipc-posix-name "apple.shm.notification_center")
(ipc-posix-name "ls.27.186a6.66334873"))

(allow ipc-posix-shm-read-metadata

(ipc-posix-name "AudioIO26B"))

(allow ipc-posix-shm-write-data

(ipc-posix-name "AudioIO26B")
(ipc-posix-name "CFPBS:7F:"))

(allow mach-lookup

(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.FontObjectsServer")
(global-name "com.apple.FontServer")
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.audio.audiohald")
(global-name "com.apple.audio.coreaudiod")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.coreservices.appleevents")
(global-name "com.apple.cvmsServ")
(global-name "com.apple.distributed_notifications@Uv3")
(global-name "com.apple.dock.server")
(global-name "com.apple.ls.boxd")
(global-name "com.apple.pasteboard.1")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.opendirectoryd.libinfo")
(global-name "com.apple.window_proxies")
(global-name "com.apple.windowserver.active")
(global-name "com.apple.xpcd")
(global-name "org.mozilla.machname.783989704"))

Note that the IO-kits are different for different macs, (like genXdevice), and also that this list can most likely be reduced at the cost of stability and / or performance.

Note that tihs list is only from youtube, should other stuff like webcams and voice be allowed, sensitivity increases as we need to grant access to these devices, which will have privacy implications if abused.


Changed 7 years ago by trams

Attachment: flash.sb added

example policy for flash.

comment:6 Changed 7 years ago by trams

Added example policy for flash that plays youtube and some other random tests. This policy is not something that is viable for production, but gives a fair idea of what flash needs to do.

Debugging is a bit tricky as ff happily hangs if plugin-container misbehaves too much.

Open questions:

  1. How much can flash affect the core browser via NPAPI? If NPAPI is too liberal, we might need to contain the browser as well.
  2. Does flash respect proxy settings? IF it does, we can replace

(allow network-outbound

(literal "/private/var/run/mDNSResponder")
(remote tcp "*:1935")
(remote tcp "*:443")
(remote tcp "*:80"))

With simply letting it talk to the tor socks, and nothing else, network wise.

comment:7 Changed 7 years ago by trams

We should let vidalia generate the policy to contain important stuff like where the tor proxy is.

This would be trivial by simply pointing to a small script that does the necessary sandbox generation before launching FF.

Knobs could be added to vidalia to generate a more permissive policy for flash, like allowing webcam / microphone

comment:8 Changed 7 years ago by arma

Parent ID: #7650

comment:9 Changed 7 years ago by arma

Parent ID: #7650#7680

comment:10 Changed 7 years ago by runa

Cc: runa added

comment:11 Changed 7 years ago by arma

Description: modified (diff)

comment:12 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:13 Changed 5 years ago by erinn

Component: Tor bundles/installationTor Browser

comment:14 Changed 22 months ago by arma

Severity: Normal

Time has passed, and Flash is going extinct.

I say we find a way to close all the subtickets, and then close this one as wontfix.

comment:15 Changed 12 months ago by traumschule

Keywords: apparmor added

group tickets related to AppArmorForTBB/tor packages

comment:16 in reply to:  14 Changed 12 months ago by gk

Keywords: needs-triage removed
Resolution: wontfix
Status: newclosed

Replying to arma:

Time has passed, and Flash is going extinct.

I say we find a way to close all the subtickets, and then close this one as wontfix.

Done.

Note: See TracTickets for help on using tickets.