Security/Sandbox/Process model: Difference between revisions

Jump to navigation Jump to search
→‎Process Model: Update intro
mNo edit summary
(→‎Process Model: Update intro)
Line 2: Line 2:
Multi-process Firefox employs a process sandbox to protect against malicious content. In this model, untrusted content is run in a sandboxed low-rights process so that in the event of a compromise, access to full system functionality and data is prevented by a sandbox. This document aims to provide an overview of the sandbox implementation and outline the design implications for Gecko features.
Multi-process Firefox employs a process sandbox to protect against malicious content. In this model, untrusted content is run in a sandboxed low-rights process so that in the event of a compromise, access to full system functionality and data is prevented by a sandbox. This document aims to provide an overview of the sandbox implementation and outline the design implications for Gecko features.
== Process Model ==
== Process Model ==
For sandboxing to be an effective security control, Firefox must be split into parent and child processes, such that the child processes responsible for running untrusted content can be restricted to limit damage in the event of compromise. The Electrolysis project enabled moving parsing and execution of web content to a content process -  and sandboxing is based off this process model. In general a child process is untrusted, and intended to run remote content. It’s sandbox is restricts privileges and prevents access to all but necessary system resources. The main focus of the sandbox project are child processes called "Web Content processes" - processes which parse and execute web content. However Firefox currently also makes use of several other types of sandboxed child process, and more are planned for future improvement.
For sandboxing to be an effective security control, Firefox is split into parent and child processes, such that the child processes responsible for running untrusted content can be restricted to limit damage in the event of compromise. The [https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Multiprocess_Firefox Electrolysis project] enabled moving parsing and execution of web content to a content process -  and sandboxing is based off this process model. In general a child process is untrusted, and intended to run remote content. Each child process has a sandbox that prevents access to all but necessary system resources. The main focus of the sandbox project are child processes called "Web Content processes" - processes which parse and execute web content. However Firefox currently also makes use of several other types of sandboxed child process, and more are planned for future improvement. Below is a description of various processes used in Firefox.


=== Chrome process ===
=== Parent process ===
The Chrome (or “parent”) process - named for where the browser’s “chrome” or UI is run - is the trusted process which controls interaction with the underlying operating system. The parent process is not sandboxed and has regular access to operating system in order to access files, devices and network resources as part of regular browser use. As such should only ever run trusted code - all untrusted web content should be processed in a child process. The parent also acts as a broker for privileged resource requests from the child.
The Chrome (or “parent”) process - named for where the browser’s “chrome” or UI is run - is the trusted process which controls interaction with the underlying operating system. The parent process is not sandboxed and has regular access to operating system in order to access files, devices and network resources as part of regular browser use. As such should only ever run trusted code - all untrusted web content should be processed in a child process. The parent also acts as a broker for privileged resource requests from the child.


Line 41: Line 41:


=== NPAPI process (64-bit windows only) ===
=== NPAPI process (64-bit windows only) ===
On Windows 64-bit Firefox employs a sandbox to limit the impact of compromised plug-ins. This sandbox landed in Firefox 41 and tightened but at a high level it aims to limit access to the file system and other system privileges. For further detail see the https://wiki.mozilla.org/Security/Sandbox#64-bit_Plugin and https://wiki.mozilla.org/Firefox/win64  
On Windows 64-bit Firefox employs a sandbox to limit the impact of compromised plug-ins. This sandbox landed in Firefox 41 and tightened but at a high level it aims to limit access to the file system and other system privileges. For further detail see the https://wiki.mozilla.org/Security/Sandbox#64-bit_Plugin and https://wiki.mozilla.org/Firefox/win64


==Future Process Types ==
==Future Process Types ==
canmove, Confirmed users
1,220

edits

Navigation menu