Tuesday, September 22, 2015

Sandboxin' Safari on PowerPC (because plugins can't be trusted, and neither can you)

First, for your entertainment, another episode of keeping old Power Macs running in the age of Intel. The hardware failure this week was oslo, the Sawtooth G4 file server and backup depot, which started throwing weird checksum errors on its Sunday backups which I couldn't figure out at the time, and then completely seized up around 2:30am yesterday morning while the G5 was backing up to it. The system is not especially complex; besides the default Rage 128 AGP card, it has a Gigabit Ethernet NIC for a point-to-point connection to the G5, an Orange Micro Grappler+ SCSI card that seemed like a good idea at the time but other than driving a SCSI CD burner essentially does nothing, and a FireWire 800 card in the bottom PCI slot connected to a 4-drive external RAID 5.

When I started getting alarms that oslo was unresponsive from the systems that couldn't dump backups on it anymore, I tried to bring it back up after work and noticed I was missing the array's core HFS+ volume (the array is partitioned into three). While the array's UFS volume seemed intact, none of the files verified; worse, not only was the HFS+ volume on it completely hosed, DiskWarrior actually crashed trying to repair it after throwing an error I'd never seen before (2351, -36 in case anyone is searching in the future).

Now, this is a backup array, so it could be dispensed with, but I wanted to understand what was going on first before wiping it. In the interest of ruling out the controller, I first decided to see if it was a problem with the array hardware and connected the RAID over FireWire to the iBook instead. To my surprise and delight, the files on the UFS volume checked out! I quickly booted DiskWarrior on the iBook and managed to get the HFS+ volume repaired -- it was pretty hideously mangled but spot checks on the files seemed to validate. So that ruled out the array.

At this point I concluded it must have been something wrong with the FW800 card. I'm notorious for keeping large amounts of spares on hand, so I got a spare FW800 card out that I'd bought as a Fry's special six years ago, pulled the old one from the bottom slot and installed the new one in the same place, and connected the array. This time, no volumes mounted, and System Profiler actually crashed when I asked it to enumerate FireWire devices. I powered off the system and said something intemperate, then started to wonder if it was something about the slot or (grr) the logic board. Fortunately, I could dispense with the Grappler+ since it was just occupying space, so I pulled that and put the new card in its slot instead. Everything mounted. Whew! Conclusion: bad PCI slot, possibly bad card as well, not clear if or which one caused the other, but I'm not going to take chances -- that card's going in the eWaste bin. Either way, the moral of this story is to not only keep backups, but keep spare parts on hand, because you never know when you'll need them. And oslo has a complete body double in the stock closet for the day it might blow its logic board entirely. Still, not bad for a machine that was built 15 years ago.

Now to the main event. I mentioned a while back a couple of secret projects I've been working on, and while one of them is probably going to get invalidated by Google again in the very near future, this second one has bigger import: no less than a safer, sandboxed way to run Flash and other plugins on Tiger. Let me introduce you to SandboxSafari.

First, let's be painfully clear about two important points: both Flash and Java remain unsafe to run on Power Macs, and TenFourFox's no-plugins policy remains inviolate. That's not ever going to change. But there are still sites people want to visit that insist on requiring a plugin and some of the sites either still work or can be coerced to work with the older version of Flash Player available for PowerPC. While not all the problems can be mitigated, it seemed to me that there could be a safer way of doing so that would reduce a potential attack profile.

Because our primary operating system of interest is Tiger (Leopard is supported, but I've always been frank that the best reason to still own a Power Mac is to run Classic apps, and that means 10.4), we can't use the Leopard sandbox, and the Leopard sandbox has at least one sandbox escape that was never fixed (though I suppose in the future it could be part of a blended implementation). So SandboxSafari takes a different approach: it runs a very limited WebKit instance in a separate process as nobody so that it doesn't run within TenFourFox or even run as you. By limiting the functionality it exposes and the privileges it can wield, it reduces the chance of an unsafe operation because it can't do many such operations.

In fact, SandboxSafari is so limited you can't even use it as a regular browser; there's no tabs, no downloads, only a single window and almost no chrome except for a right-click context menu for navigation. You feed it URLs through Launch Services, not through a typical address bar -- because there isn't one! It can't even save its own settings, nor can any plugin it instantiates, let alone anything else. The overriding idea is "as little as possible to go wrong."

So how do you use it? TenFourFox integrates with SandboxSafari through an enabler add-on included in the package. Let's say you're on one of those troublesome sites and you need Flash to operate on it. Just right-click on an open area of the page and from the context menu select the option to pass the URL to SandboxSafari (or pass it and close the tab simultaneously, such as a video site you don't need to keep open in TenFourFox). SandboxSafari will open to that URL; when you're done, just close the window and it will return to the previous app (invariably TenFourFox). You can drive SandboxSafari from your own application with AppleEvents, btw; see the openurl tool in the source code bundle.

SandboxSafari is not at all complete protection. Even though crashes are limited to the SandboxSafari process, it may still be possible for a malicious or misbehaving site to trigger other OS bugs, and while it's designed to resist modifying old files as well as creating new files, it may still be able to read other files and possibly be manipulated to upload them. A subverted plugin may also be able to activate input contexts that capture all keyboard events or draw things that look like password dialogues, and while these would disappear when SandboxSafari quits, they could potentially grab data anyway if you type in sensitive information while SandboxSafari is running. These kinds of operations are not generally dependent on the user ID in use or cannot otherwise be blocked with this method of sequestration. There are other limitations with what it can access and you should read the documentation thoroughly beforehand so you understand why.

SandboxSafari is also provided to you "best effort" and strictly "as-is." It's a means to get obsolete, insecure software to run a little more safely, but the software in question is unmaintained and known to have problems, and that means you should expect to have problems with it too. Because I don't want to turn my life into a living hell with people who can't read and don't care sending me complaints I don't want, the policy is explicit: bug reports that do not include fixes will be ignored (unless it's an obvious security issue over and above the security issues I already know it has). Don't write it here, don't post it to Tenderapp, don't E-mail me. If you're having trouble with it and you don't know why or don't care to find out how to fix it, then don't use it. I'm serious. I have enough to worry about with TenFourFox without regretting anything else I maintain. :P

Download SandboxSafari here, after reading the page thoroughly, and God have mercy on your souls.

Saturday, September 19, 2015

38.3.0 available

But first: check out the stylin' official Mozilla add-on shirt I got!

Try as I might, however, I could not find any XUL in it (there is no XUL, only WebExtensions).

TenFourFox 38.3.0 is now available for testing (release notes, hashes, downloads). Currently I'm tracking two confirmed bugs and one questionable one, none of which are fully fixed yet. We have an issue with what appears to be exact rooting and may be partially a compiler bug, but I can only reproduce it on Github, and only specifically with one particular operation. The patch I added to 38.3.0 seems to wallpaper the intermittent crash that can result from it though not the incorrect behaviour it causes with the JITs (but it does restore correct behaviour with the naked interpreter, which was not the case in 38.2.x), although I don't think this is the cause of some of the unreproducible crashes a few people have reported -- YMMV. In addition, the new jsonlz4 compressed JSON bookmark backup format seems to be bogus despite setting all the proper endian options near as I can tell, so I'm not sure why it's writing invalid data. If I can't figure this out, forcing it to save uncompressed backups a la TenFourFox 31 should not be exceptionally hard. The remaining questionable bug allegedly has to do with modal drop-down-sheet requesters becoming unresponsive, which in turn makes the browser halt (more accurately it goes into a loop where it ignores other events), but I can't get it to do so reliably. Because of these issues, official MP3 support is still delayed for the time being.

Disabling incremental garbage collection in lieu of periodic full collections of the tenured heap appears to be a mixed bag with respect to performance. Although it was a win on my systems, a few of you reported it made them somewhat worse, and not enough people reported a difference to really outweigh them. You can still consider trying it on your own Power Mac and seeing if that helps, but I've abandoned this line of enhancement for the time being and it remains enabled by default in 38.3. As always, the browser goes live on Monday evening Pacific time.

I've been slack on some other fun posts and I'll try to catch up on those soon as my situation permits.