Tuesday, September 22, 2015

Sandboxin' Safari on PowerPC (because plugins can't be trusted, and neither can you)

First, for your entertainment, another episode of keeping old Power Macs running in the age of Intel. The hardware failure this week was oslo, the Sawtooth G4 file server and backup depot, which started throwing weird checksum errors on its Sunday backups which I couldn't figure out at the time, and then completely seized up around 2:30am yesterday morning while the G5 was backing up to it. The system is not especially complex; besides the default Rage 128 AGP card, it has a Gigabit Ethernet NIC for a point-to-point connection to the G5, an Orange Micro Grappler+ SCSI card that seemed like a good idea at the time but other than driving a SCSI CD burner essentially does nothing, and a FireWire 800 card in the bottom PCI slot connected to a 4-drive external RAID 5.

When I started getting alarms that oslo was unresponsive from the systems that couldn't dump backups on it anymore, I tried to bring it back up after work and noticed I was missing the array's core HFS+ volume (the array is partitioned into three). While the array's UFS volume seemed intact, none of the files verified; worse, not only was the HFS+ volume on it completely hosed, DiskWarrior actually crashed trying to repair it after throwing an error I'd never seen before (2351, -36 in case anyone is searching in the future).

Now, this is a backup array, so it could be dispensed with, but I wanted to understand what was going on first before wiping it. In the interest of ruling out the controller, I first decided to see if it was a problem with the array hardware and connected the RAID over FireWire to the iBook instead. To my surprise and delight, the files on the UFS volume checked out! I quickly booted DiskWarrior on the iBook and managed to get the HFS+ volume repaired -- it was pretty hideously mangled but spot checks on the files seemed to validate. So that ruled out the array.

At this point I concluded it must have been something wrong with the FW800 card. I'm notorious for keeping large amounts of spares on hand, so I got a spare FW800 card out that I'd bought as a Fry's special six years ago, pulled the old one from the bottom slot and installed the new one in the same place, and connected the array. This time, no volumes mounted, and System Profiler actually crashed when I asked it to enumerate FireWire devices. I powered off the system and said something intemperate, then started to wonder if it was something about the slot or (grr) the logic board. Fortunately, I could dispense with the Grappler+ since it was just occupying space, so I pulled that and put the new card in its slot instead. Everything mounted. Whew! Conclusion: bad PCI slot, possibly bad card as well, not clear if or which one caused the other, but I'm not going to take chances -- that card's going in the eWaste bin. Either way, the moral of this story is to not only keep backups, but keep spare parts on hand, because you never know when you'll need them. And oslo has a complete body double in the stock closet for the day it might blow its logic board entirely. Still, not bad for a machine that was built 15 years ago.

Now to the main event. I mentioned a while back a couple of secret projects I've been working on, and while one of them is probably going to get invalidated by Google again in the very near future, this second one has bigger import: no less than a safer, sandboxed way to run Flash and other plugins on Tiger. Let me introduce you to SandboxSafari.

First, let's be painfully clear about two important points: both Flash and Java remain unsafe to run on Power Macs, and TenFourFox's no-plugins policy remains inviolate. That's not ever going to change. But there are still sites people want to visit that insist on requiring a plugin and some of the sites either still work or can be coerced to work with the older version of Flash Player available for PowerPC. While not all the problems can be mitigated, it seemed to me that there could be a safer way of doing so that would reduce a potential attack profile.

Because our primary operating system of interest is Tiger (Leopard is supported, but I've always been frank that the best reason to still own a Power Mac is to run Classic apps, and that means 10.4), we can't use the Leopard sandbox, and the Leopard sandbox has at least one sandbox escape that was never fixed (though I suppose in the future it could be part of a blended implementation). So SandboxSafari takes a different approach: it runs a very limited WebKit instance in a separate process as nobody so that it doesn't run within TenFourFox or even run as you. By limiting the functionality it exposes and the privileges it can wield, it reduces the chance of an unsafe operation because it can't do many such operations.

In fact, SandboxSafari is so limited you can't even use it as a regular browser; there's no tabs, no downloads, only a single window and almost no chrome except for a right-click context menu for navigation. You feed it URLs through Launch Services, not through a typical address bar -- because there isn't one! It can't even save its own settings, nor can any plugin it instantiates, let alone anything else. The overriding idea is "as little as possible to go wrong."

So how do you use it? TenFourFox integrates with SandboxSafari through an enabler add-on included in the package. Let's say you're on one of those troublesome sites and you need Flash to operate on it. Just right-click on an open area of the page and from the context menu select the option to pass the URL to SandboxSafari (or pass it and close the tab simultaneously, such as a video site you don't need to keep open in TenFourFox). SandboxSafari will open to that URL; when you're done, just close the window and it will return to the previous app (invariably TenFourFox). You can drive SandboxSafari from your own application with AppleEvents, btw; see the openurl tool in the source code bundle.

SandboxSafari is not at all complete protection. Even though crashes are limited to the SandboxSafari process, it may still be possible for a malicious or misbehaving site to trigger other OS bugs, and while it's designed to resist modifying old files as well as creating new files, it may still be able to read other files and possibly be manipulated to upload them. A subverted plugin may also be able to activate input contexts that capture all keyboard events or draw things that look like password dialogues, and while these would disappear when SandboxSafari quits, they could potentially grab data anyway if you type in sensitive information while SandboxSafari is running. These kinds of operations are not generally dependent on the user ID in use or cannot otherwise be blocked with this method of sequestration. There are other limitations with what it can access and you should read the documentation thoroughly beforehand so you understand why.

SandboxSafari is also provided to you "best effort" and strictly "as-is." It's a means to get obsolete, insecure software to run a little more safely, but the software in question is unmaintained and known to have problems, and that means you should expect to have problems with it too. Because I don't want to turn my life into a living hell with people who can't read and don't care sending me complaints I don't want, the policy is explicit: bug reports that do not include fixes will be ignored (unless it's an obvious security issue over and above the security issues I already know it has). Don't write it here, don't post it to Tenderapp, don't E-mail me. If you're having trouble with it and you don't know why or don't care to find out how to fix it, then don't use it. I'm serious. I have enough to worry about with TenFourFox without regretting anything else I maintain. :P

Download SandboxSafari here, after reading the page thoroughly, and God have mercy on your souls.


  1. Thank you, this is really a good idea. Works much faster than opening Safari itself or TFF 17. Hint (not a bug report): Refresh problems (on 10.5 only) e.g. on http://www.adobe.com/software/flash/about/ can be mitigated by resizing the window a bit, forcing it to re-draw. The weird stuff going on in the menu bar on 10.5 we'll have to live with because it's running as a different user with Apple's defaults for keyboard input and menu bar transparency.

  2. Very Cool Idea C.K.
    I wrote an Applescript that does something very similar (locks 'Safari' folder to prevent security leaks and sends pages to WebKit from TFF with a hotkey).

    This is much more elegant. The only extra option/feature that 'Might' be worth adding is the ability to save a page as a webarchive. The page-saving in Firefox (.mht) is not as easy/functional, and this might allow easier saving in the future.

    Awesome concept and cool icon too.

    1. How do you mean, "locks the folder"? I'm unclear what that prevents, but maybe there's something else there to consider.

      I don't want to give SandboxSafari the ability to write *any* file. Then it can't be subverted.

    2. It simply locks the following files with a 'try' command, so WebKit/Safari cannot store anything:
      ~/Library/Caches/com.apple.Safari/Webpage Previews

      Then the URL is passed to WebKit. The nice thing is that the caching then rests completely in RAM, so is much faster than disk caching and on closing there are no footprints left to get sniffed out by spywear later.

      Have also completely disabled Safari Password System and Java. Has proven to be useful for many things that TFF cannot do easily (like retrieving an Apple ID).

      I REALLY wish someone would make a .webarchive addon for Firefox. Mht sucks.

      Super Cool concept here you have.

    3. No, I get it from the perspective of protecting the library and cache, but an exploit would not limit itself to those locations and nothing really keeps it there. If someone injected shellcode or managed to grab expanded privileges in the Flash or Java runtime, all bets are off as to where they would be able to get (anywhere the user has permission), unless I misunderstand your approach.

      The nice thing about the unprivileged uid method is that nobody can't write to ~/Library, period. In fact, it doesn't even have a home directory it can write to (/var/empty is owned by root:sys), let alone its own Library folder.

    4. That is very cool.

      You mention updating to WebKit/TenFourKit for 10.4, so does this call that app if present, and fallback to Safari if not?

      Oh, BTW - on the TFF front, left a comment about problems with gstatic fonts last week. Those problems/hangs are gone when I re-enable Incremental GC. When it is off, sites that call gstatic fonts seem to hang and the browser becomes unresponsive. (Dual 1.42 G4 2GB of RAM).

    5. It uses whatever WebKit framework is installed on the system.

      As far as incremental GC, enough people reported problems that I'm not planning to disable it.

  3. ---
    Lastly, final soap-box on this, but whatever you decide for web-videos, can't say enough good about basing on youtube-dl.

    I watch the Nightly Show with Larry Wilmore through my player and last week an update to their site broke compatibility and the youtube-dl team had it fixed in 3 days. These guys are relentless! They are stating Python 2.7.6 support for at least 3 more years and good compatibility for probably 5. That keeps Tiger in the video-loop for quite a while. Very easy to implement.

  4. TenFourBird has yet to issue an update since 31.8.x. This is unusual. I wonder when and if this will happen?

    1. I'm not sure what the hangup is, but they have more to port than just the core Gecko code and there might be something there problematic with gcc 4.6 that our shim does not cover.

    2. TenFourBird 38.3.0 is available.

  5. You mentioned the classic environment. Speaking of which I've always wondered if it was possible to produce a build of SheepShaver that is both optimized for Leopard and PPC (and doesn't crash every 5 seconds on PPC like current SheepShaver) as a solution for Leopard's lack of classic. Of course it would require a lot of coding and I'd be considered more of an amateur coder (written a few AppleScript apps and coder HTML) and I assume you're pretty busy as is.

    1. Although I sympathize, I don't use Leopard, so it wouldn't be me for certain.

  6. Just out of pure curiosity (and my apologies in advance if I'm not even supposed to be asking this much...): if one installs SandboxSafari and later decides to remove it, is there anything more to it than trashing the app and moving on?

    1. No, simply trashing it is sufficient to uninstall it. It's self contained.


Due to an increased frequency of spam, comments are now subject to moderation.