User:Mwobensmith/FP sandbox

From MozillaWiki
Jump to: navigation, search

Phone conversation with Jeromie Clark, QA Manager, Adobe Flash Player

8/15/13

Flash Player sandbox:

  • Was implemented around 2 years ago in FP 11.3
  • Win Vista and higher only
  • Was required as they needed to get off the "0day train"
  • Had already learned from the Acrobat sandbox

Some details:

  • Low-integrity process by default, must communicate with medium-integrity broker in order to access most things
  • The OS also provides additional protection by limiting access to resources that belong to the user via Security Identifiers (SIDs)
  • More: blog post

Problems they faced:

  • Compatibility with browser NPAPI, which was not built with this purpose in mind
    • IPC connections to browser can get mangled; sometimes arriving in wrong order
    • Caused many unreproducible crashes in the wild that were never able to be found in extensive testing
  • Initially unstable, but after 2 years, have returned to pre-sandbox stability
  • Broke other pieces of software that hosted FP, as they relied on the FP calling into them under conditions that FP itself had changed
  • Ran into unexpected issues with personal firewall systems like Komodo and Zone Alarm, which (apparently) intercede between the FP and the browser itself
  • Chrome and the Pepper API - not willing to help FP with its needs in this department

Positives:

  • Have effectively killed large classes of attacks (in above configs only)
  • Mozilla was a big help to them, as the only browser vendor that provided helpful crash stacks from the wild

Negatives:

  • Lots of unreproducible bugs. They don't even investigate many of these, anymore. Because of above-mentioned NPAPI sync issues, race conditions will create crashes that weren't caught in thousands of iterations of tests in-house.
  • Unrelated, but downstaffing/brain drain of eng means that no one who worked on sandbox is left at the company.

Overall:

  • Positive outcome, with a high cost
  • "Sandbox is not a panacea" - they have other new features (such as JIT constant blinding) that help a lot
  • Note: Mac OS X "Mavericks" will have plugin sandboxing of some sort

Testing strategy:

  • TBD, but if/when we get to this point, we'll need to have a list of things that will be brokered from web content (printer, file system, clipboard, camera, etc.) and test heavily around those areas.
  • Just a big, wide surface - as long and broad as possible to catch regressions and fix them
Retrieved from "https://wiki.mozilla.org/index.php?title=User:Mwobensmith/FP_sandbox&oldid=695368"