Tor Browser sandboxing and Tor launcher for all supported platforms

Facilitator: sysrqb

  • Firefox is huge, complicated codebase
  • history has shown this means exploits can be targetted at Tor Browser
  • there was a prototype, "Sandboxed Tor Browser", time to revive it!

How Tor Browser is structured

  • TorLauncher runs in Firefox, and TorLauncher launches tor
  • That means exploits in Firefox could then reach tor itself

How Sandboxed Tor Browser is structured

  • TorLauncher starts first, it starts Firefox and tor separately
  • Firefox is sandboxed, and isolated from the system with no direct internet access

Mozilla didn't like that design, too complicated, better handled by isolating components within Firefox itself Tor devs weren't entirely convinced that this might still be worth it

The big downside is that only one set of sandboxing can apply at the OS level, so the Sandbox Tor Browser setup would disable the Firefox component sandboxing.

  • Android is quite different, but lots of it is already provided by running Tor and Firefox as separate apps
  • UNIX domain sockets are considered network, so removing network permission from Firefox means it cannot communicate with tor
  • Android Binder interface and cross-process InputStreams might be a possisibilities

There isn't really something that we can see that would work on iOS.

X11 is a big problem here, but too big a problem for us to fix, so ignore it for now

Flatpak provides good, transparent sandboxing, the Tor Browser design should work with Flatpak

Tor Browser was using only a domain socket in alpha, but was switched back due to breakage. This still a promising idea.

Could TorBrowser unpack Firefox each time the starts? No go on MacOS or Android, but maybe Windows and GNU/Linux. This would help remove issues where exploit gets write, that can't convert to execute via writing to Firefox files.

Last modified 2 months ago Last modified on Oct 1, 2018, 5:11:45 PM