[HN Gopher] Improved Process Isolation in Firefox 100 ___________________________________________________________________ Improved Process Isolation in Firefox 100 Author : jeremiahlee Score : 223 points Date : 2022-05-12 15:48 UTC (7 hours ago) (HTM) web link (hacks.mozilla.org) (TXT) w3m dump (hacks.mozilla.org) | gernb wrote: | Maybe I'll finally be able to consider Firefox secure as Chrome | by design instead of just praying. It's been a 14 years | ComputerGuru wrote: | It's a real shame that platform native widgets had to be | sacrificed for this to work. The easy way out was to switch to | arbitrary app-drawn widgets across all platforms (which Firefox | did for all basic DOM HTML elements); the "we'll do one better" | alternative is to use app-drawn _imitations_ of the system-native | widgets (a la Qt) which Firefox is now doing for the scrollbar. | But no one ever gets these widgets right (unnatural scrolling, | non-identical behavior when clicking in the gapped region, | different scrollable-to-nonscrollable widget ratios, colors not | respecting certain subtle theming choices, etc, etc. | | I wonder if there was an alternative specifically for the | scrollbar here - some way of obtaining an outer "shell" (via | win32k, but then basically "orphaning" it so that you can't do | anything besides kill it when you're finished) that just provides | the window with an empty scrollable element that is then | populated by the restricted process. | | That ship has really sailed though; I think the days of native | widgets are quickly coming to an end. | chrisseaton wrote: | The OS should provide a safe API for how to draw native widgets | and how they behave. Then you can draw your own anywhere. | kevingadd wrote: | fwiw, Windows does have an API (called uxtheme, I believe) | that you can use to draw native widgets. | ellis0n wrote: | Process isolation improvement never ends. Firefox 100, FF 1000, | FF Universe... will be improved and hacked again. Why? | Dwedit wrote: | So here we have a feature of Windows 8/10, which prevents the | system calls of Win32U/Win32K from being called. | | When you write a Windows program, you call APIs from User32.dll, | GDI32.dll, and Kernel32.dll. Those are the user mode libraries, | and the main entry point to call the Windows API functions. | | What's actually inside of those? User32 and GDI32 are pretty much | stubs. Mostly, they have a small amount of code, then proceed to | call functions in Win32U.dll. Then Win32U.dll makes system calls, | causing Win32k (Kernel Mode) to carry out the functions. So | everything from BeginPaint to GetWindowText is going to be a | system call that's placed from within Win32U, then handled by | Win32K. | | Meanwhile, Kernel32.dll is a user-mode library (despite the name | being "kernel32"), which mostly makes calls to NTDLL.dll. Then | NTDLL makes system calls that get handled by kernel-mode | components. | | The isolation thing that Mozilla is using here does not stop the | NTDLL system calls that Kernel32.dll uses, just the calls to | Win32U/Win32K (GDI32.dll and User32.dll). So there needs to be | other mitigation methods in place for the Kernel32/NTDLL stuff, | such as reduced user privileges. | pcwalton wrote: | This is a bit buried at the bottom, but: | | > For Linux users, we removed the connection from content | processes to the X11 Server, which stops attackers from | exploiting the unsecured X11 protocol. | | It's hard to overstate how much of a benefit this is in terms of | security for those on Linux. Any application with access to the | X11 socket effectively has the keys to the kingdom, because it | can hijack other applications, including those running at higher | privileges, at will. (There have been halfhearted attempts to | address this over the years, but nothing that's been effective or | widely adopted.) The only real solution for desktop app security | on Linux is to forbid direct access to X11 entirely, and so it's | a huge deal that Firefox is now able to do this. | | In general, doing this sort of thing is a monumental undertaking | for large applications like Firefox. Kudos to my former | colleagues for pulling it off. | throwaway_58291 wrote: | In the common scenario of a single user, on a single user | machine, running programs under his uid, the benefit is | basically zero. | | If such a user wants to run untrusted programs, he'd use a | virtual machine anyway. | | So, I think it's very easy to overstate the benefit, and your | comment did just that. | enriquto wrote: | Does this mean that I will no longer be able to ssh -X myvm | firefox ? This is my way of browsing and I feel much safer than | running it raw. | Hackbraten wrote: | That should still work. | | They didn't isolate all the Firefox processes from X11. Only | the content processes are affected, i.e. the processes whose | attack surface is rather massive. | | But the content processes are still going to deliver their | finished work items to the GPU process for rendering. The GPU | process retains all the rights it needs, including talking to | X11. | pcwalton wrote: | I don't see why you wouldn't still be able to do that. | Firefox still uses X11; it's just that the content processes | can't _directly_ speak the protocol now, and must go over IPC | to a more trusted process to do so. | brian_herman wrote: | Nice job firefox team! | [deleted] | SemanticStrengh wrote: | [deleted] | ldng wrote: | Is that what definitively broke uMatrix ? | rhn_mk1 wrote: | While uMatrix is somewhat broken (lets things through on some | "special" refreshes), it's not totally broken. Or am I seeing | something else? | ComputerGuru wrote: | Extremely unlikely, as uMatrix doesn't do any direct systems | programming. | whitepoplar wrote: | What's the state of browser security these days? Does Chrome | still have a lead over Safari and Firefox? | jimrandomh wrote: | Yes, it does, at least if you go by how much money the sketchy | vulnerability brokers are offering to pay. On | https://zerodium.com/program.html a Chrome RCE+LPE is "Up to | $500k", while the other browsers are all less. | weaksauce wrote: | https://gs.statcounter.com/browser-market-share | | if you believe those numbers... 64% vs 3% market share. of | course something that impacts 64% of the internet will be | more valuable. | rockdoe wrote: | Would the majority of the current "desktop" software | actually being outdated Chromium/Electron/CEF stuff factor | into this too? | weaksauce wrote: | I really doubt it. | https://www.w3schools.com/browsers/default.asp | | that's another sampling of actual web visits. though it | skews more tech oriented of course so that's going to be | away from safari/ie and more toward firefox and chrome. | black_puppydog wrote: | Ahhh, the breath of fresh air coming from a truly free market | doing what markets do best: processing information in the | face of uncertainty to the benefit of all! Don't you feel the | soft touch of the invisible hand, gently working to raise the | tide of security for all? | | /s | leoc wrote: | I guess that that partly reflects its greater market share | though. | mlinksva wrote: | I wonder how those $ amounts are arrived at, I don't see in | FAQ. Maybe a third party study of potential factors and | prices (quick search I'm not finding anything promising)? | Surely market share/adoption is very significant, but | something else must explain e.g., 2.5x more for Apache RCE | than Nginx RCE? | Hackbraten wrote: | There are several factors that may affect per-app supply | and demand. | | - How expensive is it to discover a new vulnerability in | a given app? (This may depend on code base maturity but | also on choice of programming language, its inherent | memory safety, and supply chain.) | | - What privileges does a typical installation of the app | grant once RCE is achieved? | | - How hard is it to write a working exploit for a newly- | discovered vulnerability, taking into account the | security architecture that protects the app? | | - Given a zero-day exploit, how many times will you have | the opportunity to use it? How quickly will other parties | discover it, is the vendor willing to provide patches, | how long it is going to take, how much do the updates | cost, and how difficult is it to upgrade the software in | the field? | | - Apps and computers tend to come in packs, and attackers | love to move laterally. What opportunities would an | attacker gain from lateral movement after gaining | persistence in a given system? | | - Market share and adoption may be skewed, as attackers | may be interested in specific targets such as journalists | or politicians, who may form a specific demographic with | particular adoption rates, which can differ from those of | the general population. | guilhas wrote: | And that attackers also focus more on the higher market | share | | Chrome is also not immune, very recently had a serious flaw | "actively exploited" | https://www.bleepingcomputer.com/news/security/google- | chrome... | trasz wrote: | Does Chrome still require a suid root helper? | rs_rs_rs_rs_rs wrote: | It doesn't and even if it did it would still be a better | browser than Firefox security-wise. Google poured a lot of | money into it with really good results. | rockdoe wrote: | >It doesn't | | It does require one if your system doesn't support user | namespaces. Some distros used to disable it, but they're | getting rare these days. | fulafel wrote: | A constant stream of newly discovered (but long existing) | remote code execution vulnerabilities has been the norm for | years and no quick change in sight. Depending on who you ask, | catastrophic, or manageable. | ehsankia wrote: | Well looking at this specific feature, I believe chrome got | site isolation mid-2018 and enabled it by default mid-2019. | From what I can tell Firefox got it mid-2021. | | I don't know much about the specifics of the implementations, | but that seems like a significant difference for such a crucial | security feature, especially post meltdown/spectre. | _wldu wrote: | I firmly believe that isolation is the future of endpoint | security and I like experimenting with Mandatory Access Control | (MAC) on Linux. Tomoyo is my favorite major MAC/LSM in the Linux | kernel. | | If you have a newer kernel (5.13 or greater), you may like to | experiment with landlock. It's pretty cool and unlike FireJail, | no suid required. Here's a landlock wrapper for Firefox: | | https://github.com/62726164/misc/blob/main/go/landlock/firef... | | I'd like to learn more about open source/free Windows and MacOS | MAC tools. If you know of any, please post about your experience | with them. | | Edit: This Windows functionality seems similar to seccomp and | pledge: https://docs.microsoft.com/en- | us/windows/win32/api/winnt/ns-... | ThePowerOfFuet wrote: | I believe so too, and Qubes has been a refreshing change along | those lines since I started using it. It's not for everyone, | but I highly recommend it. | lewantmontreal wrote: | Wow that looks cool. I really want to install apps without | entrusting my entire hard drive to them. | chrisseaton wrote: | > I really want to install apps without entrusting my entire | hard drive to them. | | This is what macOS enforces - apps live within their | containers. | rockdoe wrote: | Unix applications run as a user, so it's not like they have | that permission. Looking at that profile, it restricts write | access to the home directory to only the Firefox profile and | some config files. | | I guess that makes sense, but you'd have to be aware of it | when uploading and downloading stuff (it would only work from | a specific designated folder). | kaba0 wrote: | And where are all the valuable files stored like family | pictures, other browsers' cache, ssh keys etc.? In the same | user's home dir, so in practice most desktop apps do have | uncontrolled access to everything on the harddrive as per | the now quite old xkcd comic ( https://xkcd.com/1200/ ). | | Ideally, a "shadow" Download folder would be accessible to | the process, and its content would be mirrored one-way into | the real Downloads folder. Upload should display a file | chooser dialog which runs in an entirely different process, | and the chosen files should be in effect copied to the | process's file handles list. | _wldu wrote: | Thank you! And, yes, I agree. I don't want FireFox or Chrome | reading ~/.ssh or ~/.gnupg or any other directories in my | home that it has no business reading. | | Maybe one day we'll have web browsers that don't have any C | code. Nothing against C. It's a great systems language, but | I'd rather my web browser not use it. | | Browsing the web is probably the most dangerous thing the | average computer user does. | rockdoe wrote: | >I don't want FireFox or Chrome reading ~/.ssh or ~/.gnupg | or any other directories in my home that it has no business | reading. | | Both browsers already do this for the processes that are | exposed to the internet. The software shown here | additionally does it for the entire browser (with the | caveat wrt uploading/downloading that I explained, and | maybe some more gotchas that aren't immediately obvious). | | (You may understand this nuance, but I wanted to point it | out, as it's literally what the browser sandboxes do) ___________________________________________________________________ (page generated 2022-05-12 23:00 UTC)