[HN Gopher] Improved Process Isolation in Firefox 100
___________________________________________________________________
Improved Process Isolation in Firefox 100
Author : jeremiahlee
Score : 223 points
Date : 2022-05-12 15:48 UTC (7 hours ago)
(HTM) web link (hacks.mozilla.org)
(TXT) w3m dump (hacks.mozilla.org)
| gernb wrote:
| Maybe I'll finally be able to consider Firefox secure as Chrome
| by design instead of just praying. It's been a 14 years
| ComputerGuru wrote:
| It's a real shame that platform native widgets had to be
| sacrificed for this to work. The easy way out was to switch to
| arbitrary app-drawn widgets across all platforms (which Firefox
| did for all basic DOM HTML elements); the "we'll do one better"
| alternative is to use app-drawn _imitations_ of the system-native
| widgets (a la Qt) which Firefox is now doing for the scrollbar.
| But no one ever gets these widgets right (unnatural scrolling,
| non-identical behavior when clicking in the gapped region,
| different scrollable-to-nonscrollable widget ratios, colors not
| respecting certain subtle theming choices, etc, etc.
|
| I wonder if there was an alternative specifically for the
| scrollbar here - some way of obtaining an outer "shell" (via
| win32k, but then basically "orphaning" it so that you can't do
| anything besides kill it when you're finished) that just provides
| the window with an empty scrollable element that is then
| populated by the restricted process.
|
| That ship has really sailed though; I think the days of native
| widgets are quickly coming to an end.
| chrisseaton wrote:
| The OS should provide a safe API for how to draw native widgets
| and how they behave. Then you can draw your own anywhere.
| kevingadd wrote:
| fwiw, Windows does have an API (called uxtheme, I believe)
| that you can use to draw native widgets.
| ellis0n wrote:
| Process isolation improvement never ends. Firefox 100, FF 1000,
| FF Universe... will be improved and hacked again. Why?
| Dwedit wrote:
| So here we have a feature of Windows 8/10, which prevents the
| system calls of Win32U/Win32K from being called.
|
| When you write a Windows program, you call APIs from User32.dll,
| GDI32.dll, and Kernel32.dll. Those are the user mode libraries,
| and the main entry point to call the Windows API functions.
|
| What's actually inside of those? User32 and GDI32 are pretty much
| stubs. Mostly, they have a small amount of code, then proceed to
| call functions in Win32U.dll. Then Win32U.dll makes system calls,
| causing Win32k (Kernel Mode) to carry out the functions. So
| everything from BeginPaint to GetWindowText is going to be a
| system call that's placed from within Win32U, then handled by
| Win32K.
|
| Meanwhile, Kernel32.dll is a user-mode library (despite the name
| being "kernel32"), which mostly makes calls to NTDLL.dll. Then
| NTDLL makes system calls that get handled by kernel-mode
| components.
|
| The isolation thing that Mozilla is using here does not stop the
| NTDLL system calls that Kernel32.dll uses, just the calls to
| Win32U/Win32K (GDI32.dll and User32.dll). So there needs to be
| other mitigation methods in place for the Kernel32/NTDLL stuff,
| such as reduced user privileges.
| pcwalton wrote:
| This is a bit buried at the bottom, but:
|
| > For Linux users, we removed the connection from content
| processes to the X11 Server, which stops attackers from
| exploiting the unsecured X11 protocol.
|
| It's hard to overstate how much of a benefit this is in terms of
| security for those on Linux. Any application with access to the
| X11 socket effectively has the keys to the kingdom, because it
| can hijack other applications, including those running at higher
| privileges, at will. (There have been halfhearted attempts to
| address this over the years, but nothing that's been effective or
| widely adopted.) The only real solution for desktop app security
| on Linux is to forbid direct access to X11 entirely, and so it's
| a huge deal that Firefox is now able to do this.
|
| In general, doing this sort of thing is a monumental undertaking
| for large applications like Firefox. Kudos to my former
| colleagues for pulling it off.
| throwaway_58291 wrote:
| In the common scenario of a single user, on a single user
| machine, running programs under his uid, the benefit is
| basically zero.
|
| If such a user wants to run untrusted programs, he'd use a
| virtual machine anyway.
|
| So, I think it's very easy to overstate the benefit, and your
| comment did just that.
| enriquto wrote:
| Does this mean that I will no longer be able to ssh -X myvm
| firefox ? This is my way of browsing and I feel much safer than
| running it raw.
| Hackbraten wrote:
| That should still work.
|
| They didn't isolate all the Firefox processes from X11. Only
| the content processes are affected, i.e. the processes whose
| attack surface is rather massive.
|
| But the content processes are still going to deliver their
| finished work items to the GPU process for rendering. The GPU
| process retains all the rights it needs, including talking to
| X11.
| pcwalton wrote:
| I don't see why you wouldn't still be able to do that.
| Firefox still uses X11; it's just that the content processes
| can't _directly_ speak the protocol now, and must go over IPC
| to a more trusted process to do so.
| brian_herman wrote:
| Nice job firefox team!
| [deleted]
| SemanticStrengh wrote:
| [deleted]
| ldng wrote:
| Is that what definitively broke uMatrix ?
| rhn_mk1 wrote:
| While uMatrix is somewhat broken (lets things through on some
| "special" refreshes), it's not totally broken. Or am I seeing
| something else?
| ComputerGuru wrote:
| Extremely unlikely, as uMatrix doesn't do any direct systems
| programming.
| whitepoplar wrote:
| What's the state of browser security these days? Does Chrome
| still have a lead over Safari and Firefox?
| jimrandomh wrote:
| Yes, it does, at least if you go by how much money the sketchy
| vulnerability brokers are offering to pay. On
| https://zerodium.com/program.html a Chrome RCE+LPE is "Up to
| $500k", while the other browsers are all less.
| weaksauce wrote:
| https://gs.statcounter.com/browser-market-share
|
| if you believe those numbers... 64% vs 3% market share. of
| course something that impacts 64% of the internet will be
| more valuable.
| rockdoe wrote:
| Would the majority of the current "desktop" software
| actually being outdated Chromium/Electron/CEF stuff factor
| into this too?
| weaksauce wrote:
| I really doubt it.
| https://www.w3schools.com/browsers/default.asp
|
| that's another sampling of actual web visits. though it
| skews more tech oriented of course so that's going to be
| away from safari/ie and more toward firefox and chrome.
| black_puppydog wrote:
| Ahhh, the breath of fresh air coming from a truly free market
| doing what markets do best: processing information in the
| face of uncertainty to the benefit of all! Don't you feel the
| soft touch of the invisible hand, gently working to raise the
| tide of security for all?
|
| /s
| leoc wrote:
| I guess that that partly reflects its greater market share
| though.
| mlinksva wrote:
| I wonder how those $ amounts are arrived at, I don't see in
| FAQ. Maybe a third party study of potential factors and
| prices (quick search I'm not finding anything promising)?
| Surely market share/adoption is very significant, but
| something else must explain e.g., 2.5x more for Apache RCE
| than Nginx RCE?
| Hackbraten wrote:
| There are several factors that may affect per-app supply
| and demand.
|
| - How expensive is it to discover a new vulnerability in
| a given app? (This may depend on code base maturity but
| also on choice of programming language, its inherent
| memory safety, and supply chain.)
|
| - What privileges does a typical installation of the app
| grant once RCE is achieved?
|
| - How hard is it to write a working exploit for a newly-
| discovered vulnerability, taking into account the
| security architecture that protects the app?
|
| - Given a zero-day exploit, how many times will you have
| the opportunity to use it? How quickly will other parties
| discover it, is the vendor willing to provide patches,
| how long it is going to take, how much do the updates
| cost, and how difficult is it to upgrade the software in
| the field?
|
| - Apps and computers tend to come in packs, and attackers
| love to move laterally. What opportunities would an
| attacker gain from lateral movement after gaining
| persistence in a given system?
|
| - Market share and adoption may be skewed, as attackers
| may be interested in specific targets such as journalists
| or politicians, who may form a specific demographic with
| particular adoption rates, which can differ from those of
| the general population.
| guilhas wrote:
| And that attackers also focus more on the higher market
| share
|
| Chrome is also not immune, very recently had a serious flaw
| "actively exploited"
| https://www.bleepingcomputer.com/news/security/google-
| chrome...
| trasz wrote:
| Does Chrome still require a suid root helper?
| rs_rs_rs_rs_rs wrote:
| It doesn't and even if it did it would still be a better
| browser than Firefox security-wise. Google poured a lot of
| money into it with really good results.
| rockdoe wrote:
| >It doesn't
|
| It does require one if your system doesn't support user
| namespaces. Some distros used to disable it, but they're
| getting rare these days.
| fulafel wrote:
| A constant stream of newly discovered (but long existing)
| remote code execution vulnerabilities has been the norm for
| years and no quick change in sight. Depending on who you ask,
| catastrophic, or manageable.
| ehsankia wrote:
| Well looking at this specific feature, I believe chrome got
| site isolation mid-2018 and enabled it by default mid-2019.
| From what I can tell Firefox got it mid-2021.
|
| I don't know much about the specifics of the implementations,
| but that seems like a significant difference for such a crucial
| security feature, especially post meltdown/spectre.
| _wldu wrote:
| I firmly believe that isolation is the future of endpoint
| security and I like experimenting with Mandatory Access Control
| (MAC) on Linux. Tomoyo is my favorite major MAC/LSM in the Linux
| kernel.
|
| If you have a newer kernel (5.13 or greater), you may like to
| experiment with landlock. It's pretty cool and unlike FireJail,
| no suid required. Here's a landlock wrapper for Firefox:
|
| https://github.com/62726164/misc/blob/main/go/landlock/firef...
|
| I'd like to learn more about open source/free Windows and MacOS
| MAC tools. If you know of any, please post about your experience
| with them.
|
| Edit: This Windows functionality seems similar to seccomp and
| pledge: https://docs.microsoft.com/en-
| us/windows/win32/api/winnt/ns-...
| ThePowerOfFuet wrote:
| I believe so too, and Qubes has been a refreshing change along
| those lines since I started using it. It's not for everyone,
| but I highly recommend it.
| lewantmontreal wrote:
| Wow that looks cool. I really want to install apps without
| entrusting my entire hard drive to them.
| chrisseaton wrote:
| > I really want to install apps without entrusting my entire
| hard drive to them.
|
| This is what macOS enforces - apps live within their
| containers.
| rockdoe wrote:
| Unix applications run as a user, so it's not like they have
| that permission. Looking at that profile, it restricts write
| access to the home directory to only the Firefox profile and
| some config files.
|
| I guess that makes sense, but you'd have to be aware of it
| when uploading and downloading stuff (it would only work from
| a specific designated folder).
| kaba0 wrote:
| And where are all the valuable files stored like family
| pictures, other browsers' cache, ssh keys etc.? In the same
| user's home dir, so in practice most desktop apps do have
| uncontrolled access to everything on the harddrive as per
| the now quite old xkcd comic ( https://xkcd.com/1200/ ).
|
| Ideally, a "shadow" Download folder would be accessible to
| the process, and its content would be mirrored one-way into
| the real Downloads folder. Upload should display a file
| chooser dialog which runs in an entirely different process,
| and the chosen files should be in effect copied to the
| process's file handles list.
| _wldu wrote:
| Thank you! And, yes, I agree. I don't want FireFox or Chrome
| reading ~/.ssh or ~/.gnupg or any other directories in my
| home that it has no business reading.
|
| Maybe one day we'll have web browsers that don't have any C
| code. Nothing against C. It's a great systems language, but
| I'd rather my web browser not use it.
|
| Browsing the web is probably the most dangerous thing the
| average computer user does.
| rockdoe wrote:
| >I don't want FireFox or Chrome reading ~/.ssh or ~/.gnupg
| or any other directories in my home that it has no business
| reading.
|
| Both browsers already do this for the processes that are
| exposed to the internet. The software shown here
| additionally does it for the entire browser (with the
| caveat wrt uploading/downloading that I explained, and
| maybe some more gotchas that aren't immediately obvious).
|
| (You may understand this nuance, but I wanted to point it
| out, as it's literally what the browser sandboxes do)
___________________________________________________________________
(page generated 2022-05-12 23:00 UTC)