Hello,
In the tests that we are doing on Tor Browser releases to check the hardenning of binary files, I am planning to add exceptions for the following files for the following tests (which are currently failing):
RELRO: TorBrowser/Tor/PluggableTransports/meek-client TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/obfs4proxy
stack_canary: libmozalloc.so libnssckbi.so libplc4.so libplds4.so TorBrowser/Tor/libstdc++.so.6 TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC4.so TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_XOR.so TorBrowser/Tor/PluggableTransports/Crypto/Util/_counter.so TorBrowser/Tor/PluggableTransports/fte/cDFA.so TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/twisted/python/_initgroups.so TorBrowser/Tor/PluggableTransports/twisted/runner/portmap.so TorBrowser/Tor/PluggableTransports/twisted/test/raiser.so TorBrowser/Tor/PluggableTransports/zope/interface/_zope_interface_coptimizations.so
PIE: TorBrowser/Tor/PluggableTransports/meek-client TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/obfs4proxy
DEP/ASLR (Windows): TorBrowser/Tor/PluggableTransports/_ctypes.pyd TorBrowser/Tor/PluggableTransports/_hashlib.pyd TorBrowser/Tor/PluggableTransports/_socket.pyd TorBrowser/Tor/PluggableTransports/_ssl.pyd TorBrowser/Tor/PluggableTransports/bz2.pyd TorBrowser/Tor/PluggableTransports/Crypto.Cipher._AES.pyd TorBrowser/Tor/PluggableTransports/Crypto.Hash._SHA256.pyd TorBrowser/Tor/PluggableTransports/Crypto.Hash._SHA512.pyd TorBrowser/Tor/PluggableTransports/Crypto.Random.OSRNG.winrandom.pyd TorBrowser/Tor/PluggableTransports/Crypto.Util._counter.pyd TorBrowser/Tor/PluggableTransports/Crypto.Util.strxor.pyd TorBrowser/Tor/PluggableTransports/flashproxy-client.exe TorBrowser/Tor/PluggableTransports/flashproxy-reg-appspot.exe TorBrowser/Tor/PluggableTransports/flashproxy-reg-email.exe TorBrowser/Tor/PluggableTransports/flashproxy-reg-http.exe TorBrowser/Tor/PluggableTransports/flashproxy-reg-url.exe TorBrowser/Tor/PluggableTransports/fte.cDFA.pyd TorBrowser/Tor/PluggableTransports/fteproxy.exe TorBrowser/Tor/PluggableTransports/M2Crypto.__m2crypto.pyd TorBrowser/Tor/PluggableTransports/meek-client-torbrowser.exe TorBrowser/Tor/PluggableTransports/meek-client.exe TorBrowser/Tor/PluggableTransports/obfs4proxy.exe TorBrowser/Tor/PluggableTransports/obfsproxy.exe TorBrowser/Tor/PluggableTransports/pyexpat.pyd TorBrowser/Tor/PluggableTransports/python27.dll TorBrowser/Tor/PluggableTransports/select.pyd TorBrowser/Tor/PluggableTransports/terminateprocess-buffer.exe TorBrowser/Tor/PluggableTransports/unicodedata.pyd TorBrowser/Tor/PluggableTransports/w9xpopen.exe TorBrowser/Tor/PluggableTransports/zope.interface._zope_interface_coptimizations.pyd
On 15 June 2015 at 13:04, Nicolas Vigier boklm@mars-attacks.org wrote:
stack_canary: libmozalloc.so libnssckbi.so libplc4.so libplds4.so
These are the only ones that look unusual to me - I never did figure out why they lack the protection, did I...
TorBrowser/Tor/libstdc++.so.6
We build this, don't we? So in theory this could have protections added to it also...
-tom
On Mon, 15 Jun 2015, Nicolas Vigier wrote:
stack_canary: libmozalloc.so libnssckbi.so libplc4.so libplds4.so TorBrowser/Tor/libstdc++.so.6 TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC4.so TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_XOR.so TorBrowser/Tor/PluggableTransports/Crypto/Util/_counter.so TorBrowser/Tor/PluggableTransports/fte/cDFA.so TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/twisted/python/_initgroups.so TorBrowser/Tor/PluggableTransports/twisted/runner/portmap.so TorBrowser/Tor/PluggableTransports/twisted/test/raiser.so TorBrowser/Tor/PluggableTransports/zope/interface/_zope_interface_coptimizations.so
In this list I forgot those 2 files:
TorBrowser/Tor/PluggableTransports/meek-client TorBrowser/Tor/PluggableTransports/obfs4proxy
which are missing stack canary on linux32 (but not on linux64).