[tor-dev] TBB Memory Allocator choice fingerprint implications

procmem at riseup.net procmem at riseup.net
Sat Aug 17 22:13:19 UTC 2019

*On Sat, 17 Aug 2019 at**21:17, Tom Ritter* <tom at ritter.vg <mailto:tor-dev%40lists.torproject.org?Subject=Re%3A%20%5Btor-dev%5D%20TBB%20Memory%20Allocator%20choice%20fingerprint%20implications&In-Reply-To=%3CCA%2BcU71%3DPeZGCAJNsPQy9QpKY9%3Dwz3vPdW8QKruF_ZwyanoyYzQ%40mail.gmail.com%3E>> wrote:
> On Sat, 17 Aug 2019 at 15:06, procmem at riseup.net <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev> <procmem at riseup.net <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>> wrote:
> >/Question for the Tor Browser experts. Do you know if it is possible to />/remotely fingerprint the browser based on the memory allocator it is />/using? (via JS or content rendering) /
> Fingerprint what aspect of the browser/machine?
I'm not really sure (I'm of the opinion it should not matter) and so I'm curious as to what could 
be affected if anything. 

Some members of our team are divided about making it the default because of unknown consequences 
which is what I'm trying to clear up.
> >/We are thinking of switching Tor Browser to use the minimalist and />/security oriented hardened_malloc written by Daniel Micay. Thanks. /
> I wouldn't advise giving up partitioning for.... what exactly? What
> features does this allocator have that 68's jemalloc doesn't?
> -tom

So the original suggestion [0] was prompted by past research done by the Tor Browser team for a jemalloc 
alternative. [1] Hardened_malloc wasn't around back then so it may be a worthy alternative for you guys to switch to too.
Hardened_malloc has a partitioned heap among many other defenses implemented if I understand their label 
correctly (please see "Security properties" section in [2]). Also available on ARM. 

[0] https://forums.whonix.org/t/hardened-malloc/7474
[1] https://trac.torproject.org/projects/tor/ticket/10281
[2] https://github.com/GrapheneOS/hardened_malloc


PS. A related debate is on whether we should enable Apparmor and Firejail sandboxing for Tor Browser by default, 
but again we don't know if restriction to resources and file paths on the machine is something that is remotely 
detectable as an anomaly or not, ruining the fingerprint in the process. Input is appreciated. related thread:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20190817/840340aa/attachment.html>

More information about the tor-dev mailing list