Hi,
Tom Ritter wrote (30 Jun 2014 17:03:49 GMT) :
> Preventing a program from modifying itself is a distinct problem.
Point taken.
> Trying to prevent an application from modifying itself on disk, so
> that the changes persist after application shutdown, _could_ be
> achieved by a sandbox - but it would have to be taken on a
> case-by-case basis. Considering Tor Browser, the sandbox could
> probably, easily, enforce read-only access to executables and
> libraries. But I'm not sure how many things the 'New Identity' button
> wipes out. If it doesn't wipe out everything, there are persistence
> mechanisms between application executions that the sandbox _should_
> allow. For example, if installed extensions persist between 'New
> Identity' - that's allows arbitrary code execution (inside the
> sandbox).
Indeed, the sandbox I have in mind would grant write access to
Data/Browser/profile.default/extensions, and given the potential for
persisting arbitrary code in there, it makes little sense to block
write access to other programs and libraries shipped by the bundle.
> It could change the entry guards, hardcode an exit, [...]
Yep, I guess that's correct due to the fact the browser (when using
tor-launcher) needs to be allowed to control Tor directly.
> It sounds more like you want application imaging. [...]
Thanks for the detailed analysis!
Cheers,
--
intrigeri