[tbb-dev] Future of Tor Browser hardened
Mark Smith
mcs at pearlcrescent.com
Fri Feb 3 15:27:30 UTC 2017
On 2/2/17 4:52 PM, Tom Ritter wrote:
> I have a question about ASAN. Why do we release it? Is it because we
> think it can sometimes provide security? Or is it for the purposes of
> debugging? If it's for debugging, do we --enable-debug and
> --disable-optimize on this build and any other debugging stuff?
>
> It's my hope that we will, in the next year, be able to ship more
> hardening features on more platforms. Adding in CFI for Linux and Mac;
> and CFG for Windows. There's jemalloc redzones (are those going in
> hardened, alpha, or release?)
>
> Will these go into Alpha with the goal of getting them to release? And
> it would be awesome to move to a 64bit version for Windows. (I'm
> unclear why we have a 32 bit linux version actually; and when we get a
> 64 bit Windows version why we would keep a 32 bit version.
Good questions. We need to be confident about the security benefits (it
is usually not too difficult to get to that point, although ASan is a
special case) and also the stability anything before anything goes into
our release builds... but we use our alpha channel to determine that, right?
As far as 32-bit Linux and Windows builds, we are trading off security
vs. compatibility with older OSes and hardware (maybe we are making the
wrong tradeoff). For Win64 I am sure there is work to be done as well;
see https://trac.torproject.org/projects/tor/ticket/20636
> I guess what I'm trying to figure out is: if we aggressively move all
> hardening features we can into Alpha and then release; either the
> 'Hardened' version is really a Pre-Alpha (with ASAN for catching more
> bugs) or it's a Debug version. If it's pre-alpha, cool, let's make an
> alpha, beta, and release channel. If it's Debug, cool, it's Debug. =)
Maintaining another channel will be a challenge given our small team,
but what you say makes a lot of sense. But I also wonder how many alpha
and hardened users we have and whether our audience of available testers
is too small to support another channel. On the other hand, more people
should be willing to run something labeled "beta" instead of "alpha."
--
Mark Smith
Pearl Crescent
http://pearlcrescent.com/
More information about the tbb-dev
mailing list