logs archiveIRC Archive / Oftc / #tor / 2010 / May / 19 / 1
nsa
or: erinn committed revision 22361 (/torbrowser/trunk/build-scripts): update library and path names for osx
or: ioerror committed revision 22362 (/torbrowser/trunk/build-scripts): quick rename for mac os x
or: ioerror committed revision 22363 (/torbrowser/trunk/build-scripts/config): Fork IronFox seatbelt wrapper for inclusion in Mac OS X TBB
ioerror
trams: ping
trams: I'm forking IronFox
trams: hopefully, once we get it all working, we can merge the changes back into IronFox
katmagic
What's IronFox"
?
phobos
firefox built the old fashioned way, with carbonized steel, hammers, and welders
katmagic
Srslyz. Google doesn't give me anything.
ioerror
phobos: bingo
phobos
also fire
helix
katmagic: http://romab.com/ironfox/
phobos
it's some secured firefox
secured/contained
         

ioerror
So secure that it doesn't work on os x 10.5
I guess that's becaause os x 10.5 is garbage
helix
:(
s/10.5//
katmagic
Hmmm. I remember writing a systrace policy for Firefox was relatively easy, though that was on OpenBSD...
ioerror
it appears that we are fuxed
good time
ok, so we basically need to write a very small program that lanuches the script
and that will invoke everything else
phobos
does all of this leak less info to the general OS?
or is this just security concerns
ioerror
So IronFox is a binary program
. .. Contents
IronFox.app/Contents% ls
. .. Info.plist MacOS Resources
% file MacOS/IronFox
MacOS/IronFox: Mach-O fat file with 2 architectures
That binary invokes something else
IronFox.app/Contents/Resources% ls
. appIcon.icns English.lproj flashplugin.sb script
.. AppSettings.plist firefox-profile.sb javaplugin.sb ._script
the something else is that script
eventually, that script invokes:
/usr/bin/sandbox-exec -f "${processed_template_location}/firefox-profile.sb" "/Applications/Firefox.app/Contents/MacOS/firefox-bin"
So basically, IronFox is a wrapper around an already installed FireFox
However, the binary itself, the MacOS/IronFox file, has no source
So we basically have to write a the RelativeLink thing again but for MAc OS X
phobos
ok, so the concern isn't security per se, but rather what leaks from a tbb into the main system and sits around forever
ioerror
hrm, not quite
It's mostly that we need to find a way to package up all of these little .apps
so we need to write:
phobos
wel, that's my concern for tbb
ioerror
a TorBrowserBundle.app
phobos
i want it to the point where it leaks nothing on any OS
ioerror
that app will launch a binary that calls the script file
the script will invoke sandbox/seatbelt
phobos
as in it passes a forensic analysis that can't find any trace tbb ran
ioerror
the script will then (using sandbox) ensure that nothing is written tot he disk
that's why we're doing this :-)
because the seatbelt stuff can make sure that is the case
however, what we're missing is two things
one is the source to the thing that invokes the script
the other is a structed way to put all the rest of the stuff into that invoking program's .app
I think we can just make something
I mean, in theory, the Tor Browser Bundle needs to do the follwoing:
1) launch vidalia
2) launch a pre-configured firefox
3) ensure that it all dies in a fire when the user exits
phobos
4) makes sure the OS doesn't keep any trace of it running
ioerror
I think we wnat something that looks like the following:
phobos
5) if the user pulls the usb disk in a hurry, what happens?
ioerror
TorBrowserBundle.app/Contents/Resources/{Firefox.app,Vidalia.app,etc}
phobos
5a) if power dies, what happens
katmagic
Use a tmpfs?
         

ioerror
The seatbelt app ensures that the process cannot do things unless they are allowed
that means that if we say: "no writing to disk" it does not
I don't know if apple reall yhas a tempfs that is viable
phobos
ok, forget os x
in general
ioerror
Anyway, we want to have a small program called TorBrowserBundle.app that launches the script
phobos
is there proof a usb drive was inserted?
something called tor/firefox/vidalia ran?
written to swap?
etc
ioerror
We can rename the apps, actually
i think that's easy enough
I think there is probably and event that is written to a log file somewhere but I don't know for sure
we can cehck
phobos
because right now, windows leaks these bits
ioerror
helix: can you plugin a disk?
helix: if so, we can see
phobos
and when i played with before, osx wrote plists all over the place
katmagic
http://lists.apple.com/archives/darwin-kernel/2004/Sep/msg00004.html
ioerror
phobos: it seems likely that the main launcher app will leave a trace
there's two issues
one is pre-binding
the other is plist related
the pre-binding issue is almost impossible to avoid without totally static binaries
phobos
ok
https://svn.torproject.org/svn/torbrowser/trunk/docs/traces.txt that's what I'm talking about
ioerror
phobos: totally
i understand the problem; currently we're trying to tackle three things
one is that ironfox doesn't have source
phobos
btw, we're not shipping that then ;_)
ioerror
I think that I can get around that by just writing a new laucncher
phobos
free software or die
ioerror
yeah, i agree
i'm bummed that it doesn't have source :-(
trams: ping?
helix
I'm going to email andreas when I get home
ioerror
ok, so that's problem 0
helix
if he doesn't respond on irc
ioerror
problem 1 is that we now need a ton of OS X binaries compiled
problem 2 is that we need to find the right order to call them
helix
I think 1&2 are basically done
ioerror
I think helix has problem 1 done
problem 2 isn't outlined
problem 3 is that we need to seatbelt them
problem 4 is to ensure that it works
the last problem is to examine for traces
helix
well, 2 isn't outlined but it has been done in two other operating systems, so I think its scope is understood :)
ioerror
well, it's not quite the same, is it?
helix
launching firefox sandboxed will be interesting if we try to do it from vidalia though
ioerror
right
helix
which is how it's currently done
ioerror
the permissions trickle down
helix
mm
katmagic
You could chroot them in a temporary filesystem.
helix
no, that requires extra permissions
ioerror
...?
why would we chroot them...?
katmagic
If you chroot them, they wouldn't be able to leave any trace on the system.
ioerror
This isn't unix
This is Mach...
This means that you send lots of messages around
the file system is not the only way to leave a trace
The kernel, the sandbox, the exec() itself, etc
syslog, etc etc etc
Chrooting will require root (when last I checked) and gets us nothing that seatbelt doesn't already give us
we can test
helix: http://lists.apple.com/archives/darwin-kernel/2004/Sep/msg00004.html
helix: can you test that thing katmagic suggested?
In any case, that will certainly leave a trace
that you mounted a tmpfs...
"Turtles all the way down"
helix: can you confirm that when you put a usb disk in that it does create an event?
i assume that the tmpfs stuff will be ok but that it will make an event
helix
yes it does create an event
ioerror
ok
so
that means that we make at least one event but probably more
we can deal with all the anti-forensics stuff later
lets get to the call tree?
so we want to start with the TBB.app invoking the script
the script file will do what?
We can have it fork vidalia.app directly for now
or we can have /usr/bin/sandbox-exec exec it
what say you helix?
helix: I think that we should probably exec it with sandbox
It will then run Tor and polipo
they will get the permissions inherited from the parent (vidalia)
helix
yeah I think it should all run sandboxed. I'm just thinking about the launching firefox from vidalia (or not) problem.
ok, inheritance will work then? hmm
ioerror
And then Tor, polipo and vidalia are running from a .app without touching the disk
the problem i see with launching everything with vidalia is that we have to make vidalia very premissive
so that firefox will still work when it is run
alternatively, we can run vidalia by forking it
also with seatbelt
and then it will launch tor and polipo
so ...
/usr/bin/sandbox-exec -f vidalia.sb path/to/vidalia.app/contents/macos/vidalia
vs
/usr/bin/sandbox-exec -f vidalia.sb path/to/vidalia.app/contents/macos/vidalia &
i think then we can hit the next line
in the script, i mean
and then we can do:
/usr/bin/sandbox-exec -f firefox-profile.sb Firefox.app/Contents/MacOS/firefox-bin
and then we've got a firefox running in a specific snadbox
helix: does that sound good?
helix
yes
nsa
or: ioerror committed revision 22364 (/torbrowser/trunk/build-scripts/config): IronFox forking continues
or: [Tor Bug Tracker & Wiki] #1504 was updated: #1504: No directory fetches, also #1374, 1375 - http://trac.torproject.org/projects/tor/ticket/1504#comment:1
or: Comment(by phobos):
or: This sounds like a support issue, not a bug.
or: [Tor Bug Tracker & Wiki] #1504 was updated: #1504: No directory fetches, also #1374, 1375 - http://trac.torproject.org/projects/tor/ticket/1504#comment:2
or: Changes (by phobos):
or: * priority: critical => normal
or: * component: Polipo-Backend / Core => Tor-Tor server
or: [Tor Bug Tracker & Wiki] #1182 was updated: #1182: Polipo crashes - http://trac.torproject.org/projects/tor/ticket/1182#comment:7
or: Changes (by phobos):
or: * priority: critical => normal
or: [...]
or: [Tor Bug Tracker & Wiki] #1379 was updated: #1379: can't connect to gmail with torbutton - http://trac.torproject.org/projects/tor/ticket/1379#comment:1
or: Changes (by phobos):
or: * priority: major => normal
or: [...]
or: [Tor Bug Tracker & Wiki] #1377 was updated: #1377: lost menu bar and firefox won't start - http://trac.torproject.org/projects/tor/ticket/1377#comment:3
or: Comment(by phobos):
or: which program did you install?
or: [Tor Bug Tracker & Wiki] #1502 was updated: #1502: Torbutton prevents GUI customizations in Firefox on Ubuntu - http://trac.torproject.org/projects/tor/ticket/1502#comment:1
or: Changes (by phobos):
or: * status: new => closed
or: * resolution: => duplicate
or: [...]
or: [Tor Bug Tracker & Wiki] #1503 was updated: #1503: Torbutton prevents GUI customizations in Firefox on Ubuntu - http://trac.torproject.org/projects/tor/ticket/1503#comment:1
« prev 1 2 next »