Canmove, confirm
1,220
edits
Changes
no edit summary
== Hardening the Firefox Security Sandbox ==
=== Background ===
The basis of the Firefox process sandboxing security sandbox model is that untrusted web content is loaded in untrusted "Content Processprocess", separated separate from the trusted Firefox code which runs in the "Chrome process" (also called the "parent Chrome " process which acts a broker to access privileged OS functionality and data). Content processes execute in a sandbox which limits the system privileges so that if a malicious web page manages exploits a vulnerability to execute arbitrary code it will be unable to compromise the underlying OS.
[[File:Sandbox Hardening.png|thumbnail]]
The sandboxed or “child” child processes (red borders) are as followsinclude the content processes (web, file & extension) and several other child processes:
* Web Content process: parses and executes untrusted web content.
* File Content process: responsible for loading file:// URIs
* Web Extension Content Process: future process planned for loading web extension content. See [/WebExtensions/Implementing_APIs_out-of-process] for further detail.
* GMP process: highly restrictive sandbox running GMP plugins (eg. Widevine, Primetime, OpenH264)
* NPAPI Process: Flash sandbox on Win64
Further detail on the process model is can be found here: [[Security/Sandbox/Process_model]].
The strength of the Sandbox as a security feature depends primarily on the restrictions of the Web Content process. Ideally web content should run completely sandboxed from the underlying operating system and not require access to:
* access restricted network resources.
The reality is more complicated as Firefox requires many of these privileges to run, and was not originally designed to be sandboxed. However and work is required to implement support for sandboxed processes on Windows, OSX and Linux is [[Security/Sandbox| already underway]]make it compatible. Initial support for sandboxing is available on all release versions of Firefox, and the next step is to harden the sandbox by tightening restrictions for content processes by moving or remoting sandbox-incompatible code to the parent.Detailed status of the sandbox implementation is tracked here: [[Security/Sandbox]]
===Browser Hardening===
The goal of hardening is to make the browser resilient, even when a content process is compromised. Having a strong sandbox in place is no use, if a weak trust model or IPC implementation flaw leads to trivial privilege escalation:
[[File:SandboxBypass.png|thumbnail]]
To harden the browser against this sort of sandbox bypass, several efforts are underway:
* Security Model Review: review of the design of Firefox components to ensure they enforce a strong security model* IPC Hardening : auditing and fuzz testing IPC protocolsmechanisms used to communicate between content and chrome processes
==Security Model Review ==
