[tor-bugs] #10599 [Tor bundles/installation]: Investigate building TBB with SoftBound or AddressSanitizer

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 26 16:39:02 UTC 2014 

#10599: Investigate building TBB with SoftBound or AddressSanitizer
------------------------------------------+--------------------------------
     Reporter:  mikeperry                 |      Owner:  erinn
         Type:  enhancement               |     Status:  new
     Priority:  major                     |  Milestone:
    Component:  Tor bundles/installation  |    Version:
   Resolution:                            |   Keywords:  gitian, tbb-
Actual Points:                            |  security
       Points:                            |  Parent ID:
------------------------------------------+--------------------------------

Comment (by mikeperry):

 Replying to [comment:22 gk]:
 > Replying to [comment:21 mikeperry]:
 > > gk - I have three thoughts about getting this out the door quicker in
 the best shape possible:
 > >
 > > 1. Screw lucid. Let's only support x64 and Precise+ with these builds.
 Build 4.9.0 and the ASAN+Ubsan+VTV firefox in Precise, and don't worry
 about that 4.9.0 compile error. (Though I guess this means we can't use
 the gitian-utils descriptors as-is to build this compiler with the rest of
 the tools..).
 >
 > We are not only throwing lucid but debian stable and presumably other
 distros as well out of the boat. So I'd rather avoid that at the moment if
 possible. Re: re-using descriptors: I wouldn't worry about that much
 currently as we need a separate hardening-branch anyway (e.g. we don't
 build 32bit bundles as this breaks etc.).

 Ubuntu 12.04 was released before debian/stable, so that should be OK. We'd
 only be dropping debian/oldstable, 10.04 LTS, and Centos 5 users, most
 likely. But if we can find a way to make it work on Lucid, sure.

 > > 2. Don't strip it, so stacktraces like the cyperpunks one in
 comment:16 make sense immediately without the need to make a second set of
 detached debug symbols for this build. This way we don't hit #12103
 either, and hopefully all of the other hardening options will remain in-
 tact too.
 > >
 > > 3. Install all Firefox langpack locales in one build. This way we
 don't have to ship 12 versions of this huge build. We can provide
 instructions for users on how to switch their language for now, and
 perhaps later add a Tor Launcher or other UI option to select locale for
 these builds.
 >
 > Hrm... I am not a fan of this idea for a couple of reasons:
 > 0) We need to fix #12103 anyway for non-hardened builds.

 Hrmm. Assuming it's as easy as using a newer binutils..

 > 1) Users have to download a huge build (e.g. the debug symbols file
 alone is twice as big with ASan) which might deter from testing/using it.

 Can we easily convert the stacktrace from
 http://paste.debian.net/hidden/b7b2f353/ using detached symbols? Can you
 post your symbols for that bug so I can take a look to see if it is
 possible?

 > 2) We need to provide additional instructions and/or a Tor Launcher
 patch that both need to be maintained.

 For the locale thing, I don't think this is too much of a problem compared
 to the cost to us otherwise. The alternative is an additional 15 40M files
 for each locale. It gets even more unweildy if we decide to do ASAN builds
 for all other platforms, as our dist size would then be around 4GB. I
 think we definitely want to avoid shipping two sets of bundles for all
 platforms for all locales. The only way this would be feasible is if we
 decided to only provide ASAN builds.

 In my experience, if the langpakcs are installed, all you have to do is
 switch the general.useragent.locale pref.

 > 3) (and this one is the most important to me) There might be cases where
 a stacktrace alone is not helpful for debugging, i.e. cases where we want
 things --enable-debug and --disable-optimize (and maybe others) give us.

 I suspect that symbols will be enough, here. Memory issues become much
 easier to diagnose when you catch them at the first point of illegal
 access (which is what ASAN gives us).

 > > Thoughts? I suppose an alternate way to achieve #1 might be to build a
 4.8 gcc in lucid and then use that gcc to build 4.9. Not sure which would
 mean more build time/hassle on average.
 >
 > I slightly prefer that approach to #1 if we don't find a better
 solution. It needs *once* more build time as we save the built utils (but
 this build time overhead can be quite a lot as we need to compile both
 gccs with -j1 due to autotools not liking libfaketime). Anyway, I've filed
 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61314 and maybe the gcc folks
 are coming up with an easy fix/workaround for us.

 Ok.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10599#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list