Feature #7155

Build the browser with Address Sanitizer or SoftBound

Added by intrigeri about 5 years ago. Updated about 2 years ago.

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:
Affected tool:

Related issues

Related to Tails - Feature #5802: Harden the web browser at compile time Resolved
Duplicated by Tails - Feature #12179: Tor Browser hardened Duplicate 01/26/2017


#1 Updated by BitingBird about 5 years ago

  • Category set to 176

#2 Updated by intrigeri about 5 years ago

Two Debian developers (Enrico Zini, Sylvestre Ledru) have tried backporting GCC 4.8 for Wheezy, and gave up.

The TBB folks managed to build GCC 4.9 on Lucid, but

On June 6, 2014, GeKo writes: "I don't get any fx >24 compiled with clang 3.5; at least not with ASan"

#3 Updated by intrigeri about 5 years ago

  • Subject changed from Build the browser with Address Sanitizer to Build the browser with Address Sanitizer or SoftBound

#4 Updated by intrigeri almost 5 years ago

  • Parent task deleted (#5802)

#5 Updated by intrigeri almost 5 years ago

  • Related to Feature #5802: Harden the web browser at compile time added

#6 Updated by intrigeri over 4 years ago

  • Type of work changed from Research to Wait

Now that we're shipping Tor Browser, that's a job for upstream.

#7 Updated by sajolida almost 4 years ago

  • Target version deleted (Hardening_M1)

#8 Updated by intrigeri over 3 years ago

  • Status changed from Confirmed to In Progress

#9 Updated by cypherpunks over 2 years ago

Please do not build Tor Browser with Address Sanitizer. It is not intended for use in production, and can open up additional security holes (for example,, though Firefox is not setuid, so this just provides an example of ASan's poor security record), and actually disables other extant mitigations when it is in use. Apparently, the hardened builds of Tor Browser are intended for debugging and for finding serious bugs, not for security, which seems very misleading. It's not just not designed for security, but it does not actually stop common exploits. A writeup at concludes that it only provides significant protection against simple linear buffer overflows (which Selfrando already protects against), and is fooled by all the other listed bugs.

In #tor-dev, GeKo (a Tor Browser developer) agrees that it is not meant to be used in production, and should not be used by people who do not understand the tradeoffs.

< ryonaloli> does the hardened browser still use ASan?
< ryonaloli> or has it been dropped yet?
< GeKo> ryonaloli: it's still using ASan
< ryonaloli> are there any arguments for removing it? ASan is not intended for use in production.
< GeKo> the hardened builds are a means of helping us to fin critical bugs
< GeKo> they are not necessary meant for use in production
< GeKo> which is why ASan never will appear in the stable series
< ryonaloli> GeKo: it sounds like it's misleading users then, as most people who use it are under the impression that it is a slow but secure version of tor browser.
< GeKo> that might well be so, yes

And in #grsecurity, strcat (creator of Copperhead) agrees that it is not meant for hardening and should not be used in production.

< ryonaloli> strcat: asan is not a good hardening technique in production, right?
< strcat> ryonaloli: it's not meant for hardening
< strcat> could make something similar for that purpose but it isn't that
< strcat> I thought they already dropped asan
< ryonaloli> strcat: apparently they still are using asan.
< strcat> why don't they invest some of their huge funding into making a production quality bounds checker
< ryonaloli> well i just asked them and they said it was a version of tor browser intended to help them find critical bugs.
< ryonaloli> and not intended for use in production so...
< strcat> uh they call it hardened tho
< strcat> it doesn't provide full memory safety and it's a debugging oriented tool with a complex runtime that compromises lots of other mitigations
< strcat> so you're trading off these other mitigations working for something that is incomplete and apparently quite poorly understood by people deploying it
< strcat> there are attempts to provide memory safety for C with compile-time + runtime instrumentation, ASan is not one of them
< strcat> ASan is a debugging tool, to detect/report a subset of memory corruption issues

#10 Updated by intrigeri over 2 years ago

#11 Updated by u about 2 years ago

  • Status changed from In Progress to Rejected

Looks like this is not relevant anymore, closing.

Also available in: Atom PDF