[tbb-dev] [Tails-dev] Tor Browser self-updater vs. sandboxing

intrigeri intrigeri at boum.org
Mon Sep 22 21:51:22 UTC 2014


Tom Ritter wrote (30 Jun 2014 17:03:49 GMT) :
> Preventing a program from modifying itself is a distinct problem.

Point taken.

> Trying to prevent an application from modifying itself on disk, so
> that the changes persist after application shutdown, _could_ be
> achieved by a sandbox - but it would have to be taken on a
> case-by-case basis.  Considering Tor Browser, the sandbox could
> probably, easily, enforce read-only access to executables and
> libraries.  But I'm not sure how many things the 'New Identity' button
> wipes out.  If it doesn't wipe out everything, there are persistence
> mechanisms between application executions that the sandbox _should_
> allow.  For example, if installed extensions persist between 'New
> Identity' - that's allows arbitrary code execution (inside the
> sandbox).

Indeed, the sandbox I have in mind would grant write access to
Data/Browser/profile.default/extensions, and given the potential for
persisting arbitrary code in there, it makes little sense to block
write access to other programs and libraries shipped by the bundle.

> It could change the entry guards, hardcode an exit, [...]

Yep, I guess that's correct due to the fact the browser (when using
tor-launcher) needs to be allowed to control Tor directly.

> It sounds more like you want application imaging. [...]

Thanks for the detailed analysis!


More information about the tbb-dev mailing list