Opened 5 years ago

Last modified 9 months ago

#8918 reopened defect

Windows paging file contains Tor Browser Bundle filename

Reported by: runa Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-disk-leak
Cc: runa Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7 showed that the Windows paging file, C:\pagefile.sys, contains the filename for the Tor Browser Bundle executable.

Child Tickets

Change History (6)

comment:1 Changed 4 years ago by runa

Keywords: tbb-disk-leak added

comment:2 Changed 3 years ago by erinn

Keywords: needs-triage added

comment:3 Changed 3 years ago by erinn

Component: Tor bundles/installationTor Browser
Owner: changed from erinn to tbb-team

comment:4 Changed 22 months ago by bugzilla

Keywords: tbb-disk-traces added; tbb-disk-leak needs-triage removed
Resolution: invalid
Severity: Normal
Status: newclosed

Are you really going to run TBB in non-paged memory only? Madness...

comment:5 Changed 22 months ago by gk

Keywords: tbb-disk-leak added; tbb-disk-traces removed
Resolution: invalid
Status: closedreopened

Please, don't invent new keywords out of the box and don't close tickets even if there is no obvious workaround or fix imaginable at the moment. Thanks.

comment:6 in reply to:  5 Changed 9 months ago by cypherpunks

Replying to gk:

Please, don't invent new keywords out of the box and don't close tickets even if there is no obvious workaround or fix imaginable at the moment. Thanks.

Unless you encrypt all of Firefox's memory with an encryption key, and put that encryption key in non-paged memory, then you're not going to be able to keep all of Firefox off of the disk. Imagine how bad the performance hit for that would be! Forget the filename for the executable, everything in memory for Firefox is eligible to be paged out to the disk. Just like Linux's mlock(), Windows' VirtualLock() imposes a limit on how many pages you are allowed to lock per process. If Windows is anything at all like Linux in how it handles locked, non-paged memory (which I believe), I would have closed this ticket too.

The real solution for Windows for the stated threat model is to run this in cmd.exe, running as Administrator, in order to encrypt the paging file with a key stored in memory:

fsutil behavior set EncryptPagingFile 1

Note: See TracTickets for help on using tickets.