whoami? Chris, a student at the University of Minnesota finishing my undergrad degree in comp sci. I enjoy poking software until it breaks.
- Chris Hickstein
- Professor Stephen McCamant
- Mozilla Advisor: Frederik Braun
Firefox Sandbox Audit
FirefoxOS uses a defensive programming technique called 'sandboxing' to help limit the control of an attacker who has already compromised (or installed) an application running on the system. This is implemented by separating different system tasks into multiple processes. Each process possesses the least amount of privileges it needs to complete its required task. For example a process responsible for rendering webpages must process a large amount of network attacker controlled input. If a bug is found in the webpage rendering code there is a strong chance it can be exploited by the attacker to gain remote code execution. Therefore the renderer process is only given permission to read and write data relevant to the webpage such as its own DOM. However low privileged 'sandboxed' processes may require a resource or action that it is not given initial access to. In many cases the required action can still be triggered by the sandboxed process however it must request a process with appropriate privileged levels to complete the task through mechanisms such as inter-process communication (IPC). The privileged application can verify that the request message is well formatted and non-malicious before executing it.
A great technical introduction for FirefoxOS IPC can be found here:
Inside these privileged applications the code responsible for handling IPC messages from sandboxed processes is of great interest to an attacker. Remember privileged processes must assume that the sandboxed applications have already been compromised and treat any message from them as potentially attacker controlled. Therefore if the message handling code contains any software bugs it could potentially allow an attacker to escalate their privileges by compromising the non-sandboxed process through specially crafted IPC messages.
August - December 2014
This audit is concerned with software bugs in the FirefoxOS code that allow an attacker to compromise a privileged process and escape from the sandbox.
Specifically we are concerned with those triggerable in the IPC mechanisms between a child app and the master 'b2g' process however I'm sure we'll find some extras along the way :)
Firefox OS Sandbox Review
- Design Bugs
- Implementation Bugs