Comments (4)
rr allows sandbox escapes, so I don’t know if it is reasonable to use it for a browser that is going to be accessing untrusted web content, which is the usual case.
Actually the usual case for Firefox and Chrome devs using rr is that they're debugging test cases which are known to be non-hostile, so that's fine.
But recording a browser session involving potentially hostile Web content seems fine too. rr does not flat-out disable the browser sandbox, it just pokes a very specific small hole in it. The odds that a real Web site is carrying a malicious payload that specifically targets that hole poked by rr must be infinitesimal. Why would anyone do that? I'm sure you are much more likely to encounter Web content that uses a regular bug-exploiting sandbox escape.
If you're debugging a browser using rr and you're worried about an attacker trying to specifically target you, you should run the browser and rr in a VM guest using something KVM-based. An AWS EC2 VM works fine. But against such a sophisticated attacker, you should probably do that even if you're not using rr.
Xen doesn’t expose performance counters in VMs,
Sure it does: https://github.com/mirage/xen/blob/master/xen/arch/x86/cpu/vpmu.c
However Xen's PMU virtualization (as of 2016) had a bug that prevented rr from working properly: https://lists.xen.org/archives/html/xen-devel/2016-10/msg01285.html
It probably could be fixed, and maybe has been fixed.
from rr.
rr allows sandbox escapes, so I don’t know if it is reasonable to use it for a browser that is going to be accessing untrusted web content, which is the usual case.
Actually the usual case for Firefox and Chrome devs using rr is that they're debugging test cases which are known to be non-hostile, so that's fine.
I was not aware of that. My use-case was tracking down with crashes found by end-users, such as QubesOS/qubes-issues#8960 (Firefox crashes for no apparent reason).
But recording a browser session involving potentially hostile Web content seems fine too. rr does not flat-out disable the browser sandbox, it just pokes a very specific small hole in it. The odds that a real Web site is carrying a malicious payload that specifically targets that hole poked by rr must be infinitesimal. Why would anyone do that? I'm sure you are much more likely to encounter Web content that uses a regular bug-exploiting sandbox escape.
Attackers benefit massively from automation. An attacker might be using a payload that tries a whole bunch of different exploits. Spyware like Pegasus does exactly that.
If you're debugging a browser using rr and you're worried about an attacker trying to specifically target you, you should run the browser and rr in a VM guest using something KVM-based. An AWS EC2 VM works fine.
Indeed it does, though only in the largest (and thus most expensive) sizes (because AWS EC2 blocks performance counter use on smaller VMs for security reasons).
But against such a sophisticated attacker, you should probably do that even if you're not using rr.
That is why I use and develop Qubes OS, which does the same thing but with Xen VMs.
Xen doesn’t expose performance counters in VMs,
Sure it does: https://github.com/mirage/xen/blob/master/xen/arch/x86/cpu/vpmu.c However Xen's PMU virtualization (as of 2016) had a bug that prevented rr from working properly: https://lists.xen.org/archives/html/xen-devel/2016-10/msg01285.html It probably could be fixed, and maybe has been fixed.
The functionality exists, but it is not supported security-wise, which means that I cannot ask end-users to use it. See XSA-163: virtual PMU is unsupported.
Is this just me wanting to use rr for something it was never meant for?
from rr.
Attackers benefit massively from automation. An attacker might be using a payload that tries a whole bunch of different exploits. Spyware like Pegasus does exactly that.
Sure, but someone would have to develop an exploit specifically targeting rr first, i.e. to specifically target browser developers who use rr on public Web content, which is a VERY small set of people. I probably know most of their names! And the chance that you'll ever get those users to load your payload while they're recording the browser with rr is still incredibly small.
Indeed it does, though only in the largest (and thus most expensive) sizes
rr works in c5d.9xlarge instances which cost < $2/hour. That's essentially nothing compared to the value of a developer's time. I understand that that doesn't work for Qubes-specific issues that you want to debug, but it would work for just about everyone else.
The functionality exists, but it is not supported security-wise, which means that I cannot ask end-users to use it.
So you want end-users to send you rr recordings of the Web browser for debugging? There are bigger problems with that. In particular it's difficult to ensure that those recordings don't contain their private information.
Is this just me wanting to use rr for something it was never meant for?
I guess so? We do specifically warn against using rr to debug malicious code: https://github.com/rr-debugger/rr/wiki/Usage#malicious-code
It might be possible to harden rr for safe recording and replaying of malicious code, but it would be a lot of work to implement and more importantly to test, and it just doesn't seem worth it when most users can just run it in a relatively cheap AWS VM instead.
from rr.
The functionality exists, but it is not supported security-wise, which means that I cannot ask end-users to use it.
So you want end-users to send you rr recordings of the Web browser for debugging? There are bigger problems with that. In particular it's difficult to ensure that those recordings don't contain their private information.
I was thinking of a separate (fresh) profile with no information saved, but you are correct. I don’t think there is a good solution here, beyond what ABRT does.
from rr.
Related Issues (20)
- Possible Bug: After PTRACE_INTERRUPT, `in_injectible_signal_stop` should be false HOT 6
- [feature] Shell completion HOT 3
- rr doesnt work on VMWare + Windows, because of perf counters HOT 1
- rr on Intel Meteor Lake chips HOT 2
- Intel CPU type 0xb06e0 unknown HOT 12
- FATAL src/ReplaySession.cc:793:guard_overshoot() HOT 3
- FATAL src/ReplaySession.cc:1180:check_ticks_consistency() HOT 4
- executing rr under WSL2 HOT 5
- could the zen workaround module be incorporated to the repo HOT 1
- GDB backtrace on breakpoints doesn't show up HOT 2
- Can't single step into a function that's in a shared library HOT 9
- Detaching rr record from the target process? HOT 1
- Attaching rr record to an already running process HOT 1
- ioctl function cannot record HOT 6
- MADV_COLD and MADV_PAGEOUT are unsupported args to madvise. HOT 3
- A simple feeling about using rr record for ioctl HOT 4
- Multiple UBSan reports when running record, pack and replay HOT 6
- Vscode debugger
- UBSan reports (part 2) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rr.