[tbb-dev] Future of Tor Browser hardened

Thu Feb 2 21:52:53 UTC 2017

On 2 February 2017 at 15:28, Georg Koppen <gk at torproject.org> wrote:
> Hi all,
>
> a while ago a ticket about renaming our "hardened" series got filed[1].
> There, it is argued we should think about renaming the hardened series
> to something else as it is probably not as hardened as one would expect
> and thus misleading our users. Especially shipping that build with
> Address Sanitizer (ASan) enabled caused some folks to point out that
> ASan is mainly a debugging tool (which the other goal of the hardened
> series is) which is very likely at odds with the hardened aspect of the
> series.
>
> While I still stand to the things we said in our blog post[2] back then
> when we introduced the hardened series I am fine with picking this
> discussion up right now and moving on to a decision. The reason for that
> is that we have Yawning Angel's sandboxed Tor Browser which achieves the
> goal of preventing harm from our users much better than the hardened
> aspect of our hardened series could ever do. Moreover, selfrando, one of
> the noteworthy aspects of our hardened series, is about to get shipped
> in our regular alphas. If all goes well it will be available in 7.0a2.
>
> So, things we need to decide are
>
> 1) What do we want to do with our hardened series? Should we rename it
> to "debug series" or something similar?
>
> 2) Should we expose the renamed thing to the general public as an own,
> new series or should we just ship the means to create a debugging build
> whenever we need one?
>
> 3) What should we do with users already being on the hardened update
> channel? Should they get moved to our alpha channel with some notice?
>
> or maybe some fourth or fifth item rendering 1)-3) moot but which I did
> not come up with?

I have a question about ASAN. Why do we release it? Is it because we
think it can sometimes provide security? Or is it for the purposes of
debugging? If it's for debugging, do we --enable-debug and
--disable-optimize on this build and any other debugging stuff?

It's my hope that we will, in the next year, be able to ship more
hardening features on more platforms. Adding in CFI for Linux and Mac;
and CFG for Windows. There's jemalloc redzones (are those going in
hardened, alpha, or release?)

Will these go into Alpha with the goal of getting them to release? And
it would be awesome to move to a 64bit version for Windows. (I'm
unclear why we have a 32 bit linux version actually; and when we get a
64 bit Windows version why we would keep a 32 bit version.

I guess what I'm trying to figure out is: if we aggressively move all
hardening features we can into Alpha and then release; either the
'Hardened' version is really a Pre-Alpha (with ASAN for catching more
bugs) or it's a Debug version. If it's pre-alpha, cool, let's make an
alpha, beta, and release channel. If it's Debug, cool, it's Debug. =)

And all of these are separate from Yawning's Sandboxed version

-tom