Investigate Virtual Table Verification (VTV) hardening for Tor Browser on Linux and Windows
VTV (see: https://gcc.gnu.org/wiki/vtv) is a hardening feature introduced in GCC 4.9.0 which might be usable for our Tor Browser builds for Linux and Windows as we are using GCC for (cross-)compiling. We should investigate that and fix possible roadblocks.
Activity
Moving the VTV related discussion found in #10599 (moved) to this more specific bug.
Trac:
Keywords: needs-triage deleted, TorbrowserTeam201407 added-
Trac:
precise_vtv_crash.log -
Current state of the art (comment:37:ticket:10599): " I uploaded a working build with ASan, UBSan and VTV to https://people.torproject.org/~gk/testbuilds/asan/20140620/.
They are currently compiled with "-fvtable-verify=std". "-fvtable-verify=preinit" does not work with ld but using gold seems to be fine. I'll add that piece in the next iteration of these builds. In order to avoid the browser exiting on VTV errors the compiler is built with -DVTV_NO_ABORT. "
-
Okay. I tried to debug the VTV issues with Firefox in order to get enough information to file a Mozilla bug. Here is the short story: With the invaluable help of Caroline Tice (thanks again!) I managed to get/do the following:
- Compile a GCC 4.9.0 with the option to debug VTV issues (see: https://docs.google.com/document/d/1wN-uygC0hicLe1dyAGCvtn_tJhnwFer0Nsy56b84doY/pub). This means using something like:
make -j4 CFLAGS_FOR_TARGET="-g -O0" CXXFLAGS_FOR_TARGET="-g -O0" allwhen compiling GCC. 2) Compile a Firefox with VTV support. That means atm adding
export CXXFLAGS="-fvtable-verify=std -rdynamic -Wl,-z,relro -m64 -Wl,-R,/path/to/your/debug_gcc/lib64"to the .mozconfig file 3) Go to /dist/bin in your objdir and start gdb with
gdb firefoxNOTE: The GDB in Ubuntu Precise is buggy and won't help you (which took us quite a while to realize). Not sure which version is good, 7.7.1 worked for me at least. 4) Set a breakpoint
(gdb) b __vtv_verify_fail Function "__vtv_verify_fail" not defined. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (__vtv_verify_fail) pending. (gdb)- Run firefox
(gdb) run --help- Try to find out what's wrong and you'll get something like
(gdb) up #1 0x00007ffff7ff1f2c in __VLTVerifyVtablePointer ( set_handle_ptr=0x7ffff6bcd6e8 <_VTV<xpcIJSGetFactory>::__vtable_map>, vtable_ptr=0x7ffff68d06d0 <vtable for nsXPTCStubBase+16>) at ../../../libvtv/vtv_rts.cc:1351 1351 __vtv_verify_fail ((void **) handle_ptr, vtable_ptr); (gdb) x/x vtable_ptr 0x7ffff68d06d0 <_ZTV14nsXPTCStubBase+16>: 0xf18eca8c (gdb) x/x set_handle_ptr 0x7ffff6bcd6e8 <_ZN4_VTVI16xpcIJSGetFactoryE12__vtable_mapE>: 0x00000000- Make a backtrace which should give you something like
#0 0x00007ffff7ff0380 in __vtv_verify_fail(void**, void const*)@plt () from /home/gk/asan/gcc-4.9.0debug/usr/local/lib64/libvtv.so.0 #1 0x00007ffff7ff1f2c in __VLTVerifyVtablePointer ( set_handle_ptr=0x7ffff58c2c50 <_VTV<xpcIJSGetFactory>::__vtable_map>, vtable_ptr=0x7ffff52fa890 <vtable for nsXPTCStubBase+16>) at ../../../libvtv/vtv_rts.cc:1351 #2 0x00007fffeea019a6 in mozJSComponentLoader::ModuleEntry::GetFactory ( module=..., entry=...) at /home/gk/asan/mozilla-central/js/xpconnect/loader/mozJSComponentLoader.cpp:1440 #3 0x00007fffee101e4d in nsFactoryEntry::GetFactory (this=0x7fffe5d77340) at /home/gk/asan/mozilla-central/xpcom/components/nsComponentManager.cpp:1786 #4 0x00007fffee100362 in nsComponentManagerImpl::CreateInstanceByContractID ( this=0x7ffff6e9a360, aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1", aDelegate=0x0, aIID=..., aResult=0x7fffffffcb20) at /home/gk/asan/mozilla-central/xpcom/components/nsComponentManager.cpp:1080 #5 0x00007fffee100e46 in nsComponentManagerImpl::GetServiceByContractID ( this=0x7ffff6e9a360, aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1", aIID=..., result=0x7fffffffcc58) at /home/gk/asan/mozilla-central/xpcom/components/nsComponentManager.cpp:1440 #6 0x00007fffee1438e0 in CallGetService ( aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1", aIID=..., aResult=0x7fffffffcc58) at /home/gk/asan/mozilla-central/xpcom/glue/nsComponentManagerUtils.cpp:69- Check what vtable and class were verified after exiting gdb and you'll get something like
c++filt _ZTV14nsXPTCStubBase vtable for nsXPTCStubBase c++filt _ZN4_VTVI16xpcIJSGetFactoryE12__vtable_mapE _VTV<xpcIJSGetFactory>::__vtable_map- Start glaring at mozJSComponentLoader.cpp and friends.
-
Finally, this is https://bugzilla.mozilla.org/show_bug.cgi?id=1046600.
-
Trac:
Summary: Investigate Virtual Table Verification (VTV) hardening for Tor Browser on Windows to Investigate Virtual Table Verification (VTV) hardening for Tor Browser on Linux and Windows
Description: VTV (see: https://gcc.gnu.org/wiki/vtv) is a hardening feature introduced in GCC 4.9.0 which might be usable for our Tor Browser builds for Windows as we are using GCC for cross-compiling. We should investigate that and fix possible roadblocks.to
VTV (see: https://gcc.gnu.org/wiki/vtv) is a hardening feature introduced in GCC 4.9.0 which might be usable for our Tor Browser builds for Linux and Windows as we are using GCC for (cross-)compiling. We should investigate that and fix possible roadblocks.
Trac:
Cc: N/A to tom@ritter.vg-
Another feature of GCC 4.9 to investigate is the 'final' optimization, and if this can be automatically applied to classes. 'final' is a security feature hiding inside an optimization: By optimizing out vtable calls you can make it harder to exploit UAFs.
More info:
selfrando oil fail vtv for real security fix browser vectors
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
Trac:
Reviewer: N/A to N/A
Priority: Medium to High
Sponsor: N/A to N/A
Severity: N/A to Blocker