Necko: Sandboxing TCP/UDP socket in a separate process

From MozillaWiki
Jump to: navigation, search

Objectives

Move all the network and socket operations to an isolated process.

Goals

  • For security
    • Sandboxing network access into a separate process, preventing chrome process from opening socket
    • Preventing protocol security hole to be used to control the entire browser
  • For stability
    • Allow recovering network layer without rebooting firefox, if crash/assertion is detected in the socket process
  • For performance
    • No major regression found for start-up performance and network throughput

Requirements

HTTP Channel

  • load protocol configuration from Gecko preference
  • Alternative Service, uses AlternateServices.txt
  • Cookie access need to stay on chrome process
  • WebRequest can intercept http request/response
  • Download triggered by unknown content type needs to divert back to chrome process

FTP Channel

TCP Socket

  • permission controlled by chrome process
  • prevent system port to be bind

UDP Socket

  • permission controlled by chrome process
  • prevent system port to be bind

DNS

  • permission to do system call for DNS query
  • thread pool for doing blocking operation in parallel
  • allow both chrome process and content process to request DNS query directly to socket process

Cache

  • choice #1: stay in chrome process:
    • need a copy of full http response from socket process
    • for RCWN, need to delay the construction for ODA IPC endpoint until we know cache win or network win
  • choice #2: move to socket process:
    • need access cache data file from socket process
    • need to move cache evaluation code from nsHttpChannel to other class on socket process

AppCache

Tracking Protection

Proxy

  • load proxy configuration from Gecko preference
  • PAC loading and execution, require JS runtime
  • access system proxy setting
  • create and connect to name pipe

WebSocket

WebRTC

PSM

  • touches the preferences and various txt files in the profile
  • Cert store, uses cert*.db and key*.db
  • revocation information (i.e. nsICertBlocklist), uses revocations.txt
  • certificate error overrides (nsICertOverrideService), uses cert_override.txt.
  • HSTS/HPKP information (nsISiteSecurityService, although we've already implemented a way to access this information in non-parent processes), uses SiteSecurityServiceState.txt, SecurityPreloadState.txt
  • external PKCS#11 module, require DLL loading from arbitrary file path

NSS

  • uses the cert/key/secmod.db files as well as pkcs11.txt.
  • access system file, e.g. /dev/urandom and system policy files under /etc

PKI/PKIX

doesn't interact with preferences or file directly.

Sandboxing

  • Chrome process is still the only secure zone. Every IPC interface received at Chrome process should be audited
  • IPC to content process or socket process should at least do sanity check in the receiver side
  • Better not providing interface to create arbitrary TCP/UDP connection

DevTool

  • require TCP/UDP socket
  • require JS runtime for devtool protocol

Design

Architecture

IPDL

Start-up Procedure

Create HTTP Channel

Create WebRTC Channel

Update Preference

Override Certificate

NTLM

TODOs

  • hook ProcessHangMonitor
  • hook CrashReporter
  • hook MemoryPresure
  • hook MemoryReporter
  • ensure Telemetry works
  • ensure MOZ_LOG works
  • remove XPCOM and support only C++ implementation