[tor-bugs] #15138 [Applications/Quality Assurance and Testing]: Investigate TBB 4.5 hardening (e.g. DEP/ASLR) on all Platforms

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 24 12:20:47 UTC 2016


#15138: Investigate TBB 4.5 hardening (e.g. DEP/ASLR) on all Platforms
-------------------------------------------------+-------------------------
 Reporter:  tom                                  |          Owner:  boklm
     Type:  task                                 |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Applications/Quality Assurance and   |        Version:
  Testing                                        |
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-security, tbb-testcase,          |  Actual Points:
  ff38-esr, tbb-hardened, TorBrowserTeam201610   |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  SponsorU
-------------------------------------------------+-------------------------

Comment (by boklm):

 Commit 3178db78b764cdc6b731aaab6ef128d39af88369 is adding a test
 `otool_PIE` which is using `otool -hv` to check that executables included
 in the OSX bundle are PIE.

 In Tor Browser 6.5a3, it reports that the following files are not PIE:
  - Contents/MacOS/Tor/PluggableTransports/meek-client
  - Contents/MacOS/Tor/PluggableTransports/obfs4proxy
  - Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
  - Contents/MacOS/firefox
  - Contents/Resources/webapprt-stub
  - Contents/MacOS/updater.app/Contents/MacOS/updater
  - Contents/MacOS/Tor/PluggableTransports/meek-client-torbrowser

 We have ticket #20439 to fix the firefox binaries. The other files (meek-
 client, meek-client-torbrowser, obfs4proxy) are `golang` programs. I will
 add an exception for the `golang` programs, as the Go linker does not
 support PIE according to
 https://trac.torproject.org/projects/tor/ticket/10935#comment:13.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15138#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list