Hi,
Tom Ritter wrote (30 Jun 2014 17:03:49 GMT) :
Preventing a program from modifying itself is a distinct problem.
Point taken.
Trying to prevent an application from modifying itself on disk, so that the changes persist after application shutdown, _could_ be achieved by a sandbox - but it would have to be taken on a case-by-case basis. Considering Tor Browser, the sandbox could probably, easily, enforce read-only access to executables and libraries. But I'm not sure how many things the 'New Identity' button wipes out. If it doesn't wipe out everything, there are persistence mechanisms between application executions that the sandbox _should_ allow. For example, if installed extensions persist between 'New Identity' - that's allows arbitrary code execution (inside the sandbox).
Indeed, the sandbox I have in mind would grant write access to Data/Browser/profile.default/extensions, and given the potential for persisting arbitrary code in there, it makes little sense to block write access to other programs and libraries shipped by the bundle.
It could change the entry guards, hardcode an exit, [...]
Yep, I guess that's correct due to the fact the browser (when using tor-launcher) needs to be allowed to control Tor directly.
It sounds more like you want application imaging. [...]
Thanks for the detailed analysis!
Cheers,