Security/Features/Sandboxing of content processes

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Status

Sandboxing of content processes
Stage Development
Status In progress
Release target `
Health Blocked
Status note Waiting on E10S enabled by default

Team

Product manager Sid Stamm
Directly Responsible Individual Sid Stamm
Lead engineer Guillaume Destuynder
Security lead Guillaume Destuynder
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members Brian Bondy, David Keeler, Christoph Kerschbaumer

Open issues/risks

  • E10S is slow going, so only slow progress can be made
  • Threat model needed

Stage 1: Definition

1. Feature overview

Process isolation is designed to separate Firefox into multiple processes, each with the least amount of privilege necessary. In doing so, the potential damage for a large number of Firefox vulnerabilities can be reduced. While implementing sandboxing is not a goal for the current phase of Electrolysis, we need to consider the architectural requirements for doing so now in order to effectively support sandboxing in the future.

We will do so by:

  • identifying high level of categories of threats that we could address via process isolation
  • determining the architectural implications of mitigating each category
  • selecting a threat model and architecture that will address it, and prototyping it
  • determining whether the chosen model is actually feasible within the current Gecko architecture
  • implementation roadmap
  • implement it

2. Users & use cases

  • Reduce the damage for various types of vulnerabilities within Firefox. This is a defense in depth measure.

3. Dependencies

Older project description: https://wiki.mozilla.org/Security/ProcessIsolation
Early draft of threat model: https://wiki.mozilla.org/Security/ProcessIsolation/ThreatModel

4. Requirements

  • Define a threat model
  • Verify whether the implementation effectively mitigates the threats

Non-goals

  • Eliminate security vulnerabilities. Sandboxing can reduce the severity of a given bug (by reducing the privilege the malicious code runs with), but it doesn't not actually prevent nor fix the underlying bug.

Stage 2: Design

5. Functional specification

Security/Sandboxing

6. User experience design

`

Stage 3: Planning

7. Implementation plan

  • Land libraries to support low-rights mode for proceses
  • Hook into e10s to begin lowering rights for content processes
  • Iteratively remove individual rights, fix regressions, repeat

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

`

Stage 5: Release

10. Landing criteria

`


Feature details

Priority P1
Rank 999
Theme / Goal Product Hardening
Roadmap Security
Secondary roadmap Platform
Feature list `
Project `
Engineering team Security

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `


Chrome already does something similar. See http://dev.chromium.org/developers/design-documents/sandbox

Microsoft also had a research project for a multi-principal browser: http://research.microsoft.com/apps/pubs/default.aspx?id=79655