[tbb-dev] So, about the Linux sandbox in the long term?

Arthur D. Edelstein arthuredelstein at gmail.com
Sat May 27 00:45:03 UTC 2017

Thanks for the clarifications, Tom and Yawning.

> I'm curious what the long term plans for the sandbox are

It seems there are different threats due to browser exploits we are
discussing here: (1) pwnage of the whole computer, (2) modifying the
browser or tor binaries, (3) modifying the torrc or otherwise
launching tor in a malicious way, and (4) one-time deanonymization via
the ControlPort. So I wonder if it would make send to take a gradual
approach in which defenses are deployed one by one, starting with the
low-hanging fruit and working upwards. Something like:

Step 1: Containerize the whole bundle to defend against pwnage of the
whole computer.
Step 2: Create a external update mechanism and prevent firefox.exe
from writing to its own directory or the tor directory.
Step 3: Patch tor so that tor-launcher doesn't need to write to torrc
at all to configure tor. Launch tor independently of the browser, but
still configure tor using the tor-launcher extension UI, via a
filtered control port. Prevent firefox from accessing tor directory or
launching tor.
Step 4: Write a new tor-controller UI in QT or similar that replaces
functionality in tor-launcher and maybe the circuit display.

Am I right in thinking that there is a substantial security benefit to
each step? And would it be feasible to deploy each step to users in
standard Tor Browser without waiting for the next step to be ready?

More information about the tbb-dev mailing list