Build the browser with Address Sanitizer or SoftBound
It requires either clang 3.1 or gcc 4.8. Neither is in Wheezy.
#2 Updated by intrigeri over 5 years ago
Two Debian developers (Enrico Zini, Sylvestre Ledru) have tried backporting GCC 4.8 for Wheezy, and gave up.
The TBB folks managed to build GCC 4.9 on Lucid, but https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61408.
On June 6, 2014, GeKo writes: "I don't get any fx >24 compiled with clang 3.5; at least not with ASan"
#8 Updated by intrigeri about 4 years ago
- Status changed from Confirmed to In Progress
#9 Updated by cypherpunks about 3 years ago
Please do not build Tor Browser with Address Sanitizer. It is not intended for use in production, and can open up additional security holes (for example, http://www.openwall.com/lists/oss-security/2016/02/17/9, though Firefox is not setuid, so this just provides an example of ASan's poor security record), and actually disables other extant mitigations when it is in use. Apparently, the hardened builds of Tor Browser are intended for debugging and for finding serious bugs, not for security, which seems very misleading. It's not just not designed for security, but it does not actually stop common exploits. A writeup at https://scarybeastsecurity.blogspot.se/2014/09/using-asan-as-protection.html concludes that it only provides significant protection against simple linear buffer overflows (which Selfrando already protects against), and is fooled by all the other listed bugs.
In #tor-dev, GeKo (a Tor Browser developer) agrees that it is not meant to be used in production, and should not be used by people who do not understand the tradeoffs.
< ryonaloli> does the hardened browser still use ASan? < ryonaloli> or has it been dropped yet? < GeKo> ryonaloli: it's still using ASan < ryonaloli> are there any arguments for removing it? ASan is not intended for use in production. < GeKo> the hardened builds are a means of helping us to fin critical bugs < GeKo> they are not necessary meant for use in production < GeKo> which is why ASan never will appear in the stable series < ryonaloli> GeKo: it sounds like it's misleading users then, as most people who use it are under the impression that it is a slow but secure version of tor browser. < GeKo> that might well be so, yes
And in #grsecurity, strcat (creator of Copperhead) agrees that it is not meant for hardening and should not be used in production.
< ryonaloli> strcat: asan is not a good hardening technique in production, right? < strcat> ryonaloli: it's not meant for hardening < strcat> could make something similar for that purpose but it isn't that < strcat> I thought they already dropped asan < ryonaloli> strcat: apparently they still are using asan. < strcat> why don't they invest some of their huge funding into making a production quality bounds checker < ryonaloli> well i just asked them and they said it was a version of tor browser intended to help them find critical bugs. < ryonaloli> and not intended for use in production so... < strcat> uh they call it hardened tho < strcat> it doesn't provide full memory safety and it's a debugging oriented tool with a complex runtime that compromises lots of other mitigations < strcat> so you're trading off these other mitigations working for something that is incomplete and apparently quite poorly understood by people deploying it < strcat> there are attempts to provide memory safety for C with compile-time + runtime instrumentation, ASan is not one of them < strcat> ASan is a debugging tool, to detect/report a subset of memory corruption issues