SecurityEngineering/Newsletter/

From MozillaWiki
Jump to: navigation, search

Firefox Security Team Newsletter Q3 17

Firefox Quantum is almost here, and contains several important security improvements. Improved sandboxing, web platform hardening, crypto performance improvements and much more. Read on to find out all the security goodness coming through the Firefox pipeline.

  • Sandbox work is seeing great progress. As of 57, Windows, Mac OS X, and Linux all have file system access restricted by the sandbox which is a major milestone reached. Further restrictions are enabled for Windows in Firefox 58.

  • Firefox 57 treats now data URLs as unique origins, reducing the risk of Cross-Site Scripting (XSS).

  • The Firefox Multi-Account Containers Add-on shipped, allowing users to juggle multiple identities in a single browsing session.

  • Increased AES-GCM performance in Firefox 56, and support for Curve25519 in Firefox 57 (the first formally verified cryptographic algorithm in a web browser)

  • Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a wider market.

  • The privacy WebExtension API can now be used to control the privacy.resistFingerprinting and first party isolation experimental privacy features

Team Highlights

Security Engineering

Crypto Engineering

  • AES-GCM performance is increased across the board, making large transfers more efficient in Firefox 56. [blog post]

  • Our implementation of Curve25519 in Firefox 57 is the first formally verified cryptographic algorithm in a web browser. [blog post]

  • Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a wider market.

Privacy and Content Security

  • The privacy WebExtension API can now be used to control the privacy.resistFingerprinting preference and first party isolation

  • Containers launched as an extension available from AMO (2 blog posts)

  • Containers have had a few improvements for web extensions web extensions:

    • Containers now enabled when installing a contextual identity extension

    • Events to monitor container changes

    • Ability to get icon urls for containers along with hex colour codes

    • Cleaner APIs

  • Lightbeam was remade as a web extension.

  • Firefox 57 treats data URLs as unique origins [unique origins] which mitigates the risk of XSS, make Firefox standard-compliant and consistent with the behavior of other browsers.

  • Shipped version 4 of the Safe Browsing protocol.

Firefox and Tor Integration

  • Continue the Tor patch uplift work focusing on browser fingerprinting resistance

    • Landed 12 more anti-fingerprinting patches in 57

  • The MinGW build has landed in mozilla-central and is available in treeherder

Content Isolation

  • Various Windows content process security features enabled over the quarter including disabling of legacy extension points (56), image load policy improvements (57), increased restrictions on job objects (58), and finally we've enabled the alternate desktop feature in Nightly after battling various problems with anti-virus software interfering with child process startup.

  • The new 'default deny' read access policy for the Linux file access broker is now enabled by default for content processes and is rolling out in Firefox 57. The broker forwards content process file access requests to the parent process for approval, severely restricting what a compromised content process could do within the local file system.

  • Numerous access rules associated with file system, operating system services, and device access have been removed from the OSX content process sandbox. In terms of file system access, we've reached parity with Chrome's renderer. Remaining print server access will be removed in Q4, removal of graphics and audio access is currently in planning.

  • We continue to invest in cleaning up various areas of the code that have accumulated technical debt.

  • We’ve completed our research on the scope of enabling the Win32k System Call Disable Policy feature. This feature will isolate content processes from a large class of Win32k kernel APIs commonly used to gain sandbox escape and privilege escalation. Planning for this long term project is currently underway with work expected to commence in Q4.

  • As a result of the stability and process startup problems encountered due to 3rd party code injection, a new internal initiative has formed to better address problems associated with unstable software injected into Firefox. This cross-team group will explore and improve policy revolving around outreach and blocking, data collection and research, and improved injection mitigation techniques within Firefox.

Operations Security

  • addons.mozilla.org and Firefox Screenshots went through external security audits. The reports will be released soon.

  • Internal audits of Crash Reports and Phabricator were completed and have found no maximum or high risk issues.

  • addons.mozilla.org, Crash Reports, Telemetry, Pontoon, Push and Tracking Protection backends have been connected to pyup.io to track vulnerabilities in upstream Python dependencies.

  • Verification of the signature of installer and update files has been integrated to the product delivery pipeline, to prevent an attacker from feeding an improperly signed file to our download sites.

Security Assurance

  • Developed new static analysis tool to detect sandbox-related flaws in IPDL endpoints.

  • Established mobile security review process to cover projects coming through New Mobile Experience pipeline.

  • Identified a number of warnings by building for Windows with gcc, and resolved many of them.

Cross-Team Initiatives

Security Blog Posts & Presentations

Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/Newsletter/&oldid=1183337"