#23024: Flags to increase hardening on Windows -------------------------------------------+------------------------------- Reporter: arthuredelstein | Owner: tbb-team Type: defect | Status: | needs_revision Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: TorBrowserTeam201711, tbb-rbm | Actual Points: Parent ID: #21448 | Points: Reviewer: | Sponsor: -------------------------------------------+-------------------------------
Comment (by tom): Replying to [comment:13 cypherpunks]: > What about `--icf=all` automatically? https://github.com/llvm/llvm- project/blob/d0f63f83e7c5c6fc11e964f848d1496234695182/lld/MinGW/Driver.cpp#L265 Haven't heard of it; but https://clang.llvm.org/docs/UsersManual.html says that the arguements needed for ICF to work (-faddrsig) are ELF only... > > --forceinteg - not applicablt to clang/lld > What do you mean? Just disabled by default: https://github.com/llvm /llvm- project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1507 Ahhah; I was wrong. So it looks like this sets IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY which requires a file be signed before it's loaded. Frankly it seems kind of useless to me, an attacker who can modify the dll would invalidate the signature; but they could just strip the signature and the unset the flag. But if it cost nothing, I'd say sure, flip it: but I'm not sure which Tor Browser releases we Authenticode sign; which this would require. > > --no-seh - set by lld automatically https://reviews.llvm.org/D41252 (but this would be good to confirm manually > What about `--safeseh` automatically? https://github.com/llvm/llvm- project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1617 Oh good catch: on by default except for MinGW. We should investigate why that is and if we can enable it. > > --tsaware - I'm not sure but I really hope that this is completely unneeded by now. > Because it is enabled and should be enabled by default, you mean? https://github.com/llvm/llvm- project/blob/ee6fbebbaff5af0a0fbe58a0e33ef191340223ea/lld/COFF/Driver.cpp#L1513 https://docs.microsoft.com/en-us/cpp/build/reference/tsaware-create- terminal-server-aware-application?view=vs-2019 "When an application is not Terminal Server aware (also known as a legacy application), Terminal Server makes certain modifications to the legacy application to make it work properly in a multiuser environment. For example, Terminal Server will create a virtual Windows folder, such that each user gets a Windows folder instead of getting the system's Windows directory. This gives users access to their own INI files. In addition, Terminal Server makes some adjustments to the registry for a legacy application. These modifications slow the loading of the legacy application on Terminal Server." I had hoped that all this nonsense was not needed/performed in Windows 10 or at least the compiler set the flag automatically. The code makes it seem like it does not; but I can't find the flag in Firefox's code, which implies that it would not be setting it either... More investigation needed, specifically what Firefox sets and if this has any effect on Windows 7+ -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23024#comment:14> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs