[tor-bugs] #21010 [Applications/Tor Browser Sandbox]: Disable RDTSC/RDTSCP to limit side-channel attacks

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Dec 17 09:03:50 UTC 2016 

#21010: Disable RDTSC/RDTSCP to limit side-channel attacks
----------------------------------------------+-------------------------
 Reporter:  cypherpunks                       |          Owner:  yawning
     Type:  enhancement                       |         Status:  new
 Priority:  High                              |      Milestone:
Component:  Applications/Tor Browser Sandbox  |        Version:
 Severity:  Normal                            |     Resolution:
 Keywords:                                    |  Actual Points:
Parent ID:                                    |         Points:
 Reviewer:                                    |        Sponsor:
----------------------------------------------+-------------------------

Comment (by cypherpunks):

 Unfortunately, due to Firefox's use of jemalloc3, its own ASLR is much
 weaker than it should be, making it very vulnerable to local and remote
 infoleaks without the use of timing attacks. I don't know if this is
 something that jemalloc4 will fix, but PartitionAlloc (Chromium's malloc)
 and ptmalloc3 (glibc's malloc) do not have this problem.

 Am I misunderstanding the browser sandbox's threat model? If an attacker
 manages to execute timestamp counter instructions, they either have full
 code execution, or a successful ROP chain (with Firefox, it'd surely be
 turing complete). At that point, they don't need to break Firefox's ASLR.
 It doesn't matter if they discover the offsets of other process' ASLR
 offsets, because the sandbox should prevent them from sending over
 shellcode, right? Getting the offsets of long-running daemons for later
 exploitation after compromising a second process doesn't seem like an
 issue either, because an attacker could just break ASLR from there. And
 kASLR is already so badly broken that protecting it by disabling TSC-
 related instructions is a waste, considering an attacker would just use
 `TSX` instead, as it fully defeats kASLR, 32 bit ASLR, and makes 64 bit
 ASLR more feasible to brute force.

 Is there a reason that timing attacks against ASLR is the primary issue in
 the Tor Browser Sandbox's threat model, rather than any other number of
 attacks made possible by `RDTSC` and `RDTSCP`?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21010#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list