[tbb-bugs] #23024 [Applications/Tor Browser]: Flags to increase hardening on Windows

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 31 20:30:21 UTC 2017 

#23024: Flags to increase hardening on Windows
--------------------------------------+--------------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_revision
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201707      |  Actual Points:
Parent ID:  #21448                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------------

Comment (by cypherpunks):

 Replying to [comment:1 arthuredelstein]:
 > However, a Windows Tor Browser built with this patch (using `-fstack-
 protector-all`) doesn't seem subjectively slower to me, so I would suggest
 trying this on the alpha, at least until we have a solution for `-fstack-
 protector-strong` on mingw-w64.
 Also you can copy https://dxr.mozilla.org/mozilla-esr52/source/old-
 configure.in#957 to `*-mingw*)` section to gain parity with Linux.

 Replying to [comment:4 gk]:
 > I tested `-fstack-protector-strong` on top of the latest `tor-browser-
 bundle` commit. And the compilation worked as expected. Is that a `tor-
 browser-build` issue? Or maybe the GCC version bump (tor 5.4.0) resolved
 this problem?
 tor 5.4.0 from 2540 :) Try with `--disable-auto-import` for fun :)
 > Regarding fortify source: Have you checked whether the `_chk` part is
 actually there after compiling with `-D_FORTIFY_SOURCE=2`? Because it does
 not seem to be the case. Doing a
 > {{{
 > i686-w64-mingw32-nm -C firefox.exe | grep strcpy
 > }}}
 > after compiling with the flags in your patch does only give ma a
 > {{{
 > 0041b3f4 I _imp__strcpy
 > 00413320 T strcpy
 > }}}
 > (Note: In order to check it the way I did you need to compile the
 browser part with `--disable-strip` and `--disable-install-strip`)
 >
 > Assuming I am not mistaken then the likely root cause of this problem is
 a GCC bug which the RedHat people are tracking in
 https://bugzilla.redhat.com/show_bug.cgi?id=1324759.
 This is https://bugzilla.mozilla.org/show_bug.cgi?id=1359908

 You also need something to:
 1. check your flags passed and applied properly
 2. check features compiled properly
 3. check features works properly

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23024#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list