[splesjaz]

VMs are all nice and that but if the exploit can compromise the TBB it's too late already, sandboxing needs to happen in the browser on Linux you can use namespaces + strict seccomp rules but don't know what one would use for Windows. First priority would be to sandbox the browser and work your way down if you want to sandbox more stuff. For Windows EMET can help to prevent certain exploits I guess but yea a browser that can access anything on the filesystem & system calls is badstuff.

[gcp]

VMs are all nice and that but if the exploit can compromise the TBB it's too late already, sandboxing needs to happen in the browser on Linux you can use namespaces + strict seccomp rules but don't know what one would use for Windows.

You can take a look at the sandbox implementation of Firefox (shared with Chrome) to see. TBB uses ESR which predates all that, though.

[micaksica]

Working within an assumed breach scenario, the VM is defense in depth. Firefox has holes, and it will continue to be relatively easily exploitable as long as TBB allows for plugins and JavaScript by default. There is reticence from TBB team to disable JS by default even in the face of a few of these 0days, so you have to protect TBB users a level down from the browser and assume it'll be popped.

There are Windows "sandboxes" like Bromium, and as stated, IIRC EMET will stop the stack pivot here.

[splesjaz]

Last time I checked they were working on a TBB sandbox [1] Let's hope it will be there soon, subgraph has oz[2] and can be used with any program really then there is firejail[3] but these 2 are only on Linux available.

1: https://blog.torproject.org/blog/q-and-yawning-angel 2: https://github.com/subgraph/oz 3: https://github.com/netblue30/firejail