On Fri, 16 May 2014, isis wrote:

Nicolas Vigier transcribed 2.6K bytes:

...

- Looked at Mbox[2]: a sandboxing tool based on ptrace and seccomp/BPF. This can be used in the test suite to get the list of files modified by the browser after running a test, to check that it did not create or modify files in unexpected places. This can also be used to log all network connections, to check that everything goes through tor. I was previously thinking about doing that using Docker, but now it seems more simple with Mbox.

Mbox is neat! It looks like it's git based, right? Or at least includes some sort of CVS system. Either way, great idea, testing for connections not matching " -> 127.0.0.1" should be easy. :)

...

[2]: http://pdos.csail.mit.edu/mbox/

Yes, it's nice! It's not git or CVS based. But it stores all new and modified files in a separate directory, doing copy-on-write when opening files with write permissions, by hijacking arguments of system calls which access files. And after running the program, asks you which copy of the files you want to keep (or you can manually copy the files from the sandbox directory). It can also be used to log in a file all network connections opened. Initially the filesystem sandoxing part didn't work with Tor Browser because of some bugs in Mbox, but it's now fixed so we'll be able to use it in the TBB test suite to monitor the files modified, created and removed by Tor Browser, and network connections made. Yesterday I also made a patch that allows filtering which connections can be made: https://github.com/tsgates/mbox/commit/6dd0e49202795564e627e9eeba664fc685b14... It could be used for instance to make sure a program will not connect anywhere without using tor. This can be done like this: $ cat tor.profile [fs] direct: / [network] block: 0.0.0.0 allow: 127.0.0.1:9050 $ mbox -p ./tor.profile -- curl -I http://www.google.com/ curl: (6) Could not resolve host: www.google.com $ mbox -p ./tor.profile -- curl --socks5-hostname 127.0.0.1:9050 -I http://www.google.com/ HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: http://www.google.co.in/?gfe_rd=cr&ei=GoiDU-76DcSU-wbdy4HgDg Content-Length: 261 Date: Mon, 26 May 2014 18:29:46 GMT Server: GFE/2.0 Alternate-Protocol: 80:quic $ mbox -o /dev/null -p ./tor.profile -- nmap localhost Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:32 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.0022s latency). Not shown: 999 closed ports PORT STATE SERVICE 9050/tcp open tor-socks Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds $ nmap localhost Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:32 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00048s latency). Not shown: 996 closed ports PORT STATE SERVICE 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp 9050/tcp open tor-socks Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds It's also possible to kill a process which does unallowed connections, rather than just blocking those connections: $ cat tor.profile [fs] direct: / [network] kill: 0.0.0.0 allow: 127.0.0.1:9050 $ mbox -o /dev/null -p ./tor.profile -- nmap localhost Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:37 CEST Stop executing pid=5298: Connect to 127.0.0.1 port 80 However, a warning if some people want to use this: it's still alpha quality software, so probably not a good idea to use it for something where security is important without more review.