Skip to content

Top Best Ask Show New Jobs

Improved Process Isolation in Firefox 100 (opens in new tab)

(hacks.mozilla.org)

358 pointsjeremiahlee4y ago126 comments

126 comments

62 comments · 11 top-level

pcwalton4y ago· 19 in thread

This is a bit buried at the bottom, but:

> For Linux users, we removed the connection from content processes to the X11 Server, which stops attackers from exploiting the unsecured X11 protocol.

It's hard to overstate how much of a benefit this is in terms of security for those on Linux. Any application with access to the X11 socket effectively has the keys to the kingdom, because it can hijack other applications, including those running at higher privileges, at will. (There have been halfhearted attempts to address this over the years, but nothing that's been effective or widely adopted.) The only real solution for desktop app security on Linux is to forbid direct access to X11 entirely, and so it's a huge deal that Firefox is now able to do this.

In general, doing this sort of thing is a monumental undertaking for large applications like Firefox. Kudos to my former colleagues for pulling it off.

trashface4y ago

This seems like it could make Firefox one of the most secure linux desktop applications?

For instance, if you are typing $SensitiveMessage, you would be far better off doing that in a firefox 100 textedit box in a browser tab, rather than an xterm, or emacs, or your desktop environments preferred text editor, or anything else.

I currently use "secure keyboard" in xterm but I know that has problems.

I'm pretty sure that there's nothing preventing other apps on your desktop from listening to keystrokes that are supposed to go into Firefox, unfortunately. This is a fundamental problem with the X11 protocol and as far as I know the only real solution is to switch to Wayland.

michaelmrose4y ago

None of those other apps are constantly running code written by millions of different people many of which are actively attacking you possibly right now in one tab while you are typing in the other.

It has to make a Herculean effort because it is by far the worst possible app to be typing $SensitiveMessage in.

At least Kate or gedit probably doesn't have a second tab open running a JavaScript subprocess which is presently trying to attack you so it can cryptolocker you or empty your wallet.

ReactiveJelly4y ago

Yeah the keystrokes still have to go to some trusted process at the top that doesn't run untrusted code.

So it's only more secure if you think emacs / xterm / your text editor is real likely to be compromised

Seirdy4y ago

Chromium and dreivatives had this for years. Firefox's isolation is making progress, but it has a ways to go before it matches Chromium.

FF devs are finalizing a utility process overhaul and laying the groundwork for CFI; for years, Chromium has had both with a much more thorough implementation than FF will in the near future. However, the browser space desperately needs competition so I'll take what I can get. Sigh.

But how do they prevent an attacker from simply opening his own connection? They can just look up the keys in the other processes.

The syscalls necessary to do so are blocked by seccomp-bpf.

scratcheee4y ago

The isolated content processes shouldn't have access to the other processes memory. There might be shared memory regions, but it seems unlikely they'd store the keys to the kingdom in shared memory.

Does this mean that I will no longer be able to ssh -X myvm firefox ? This is my way of browsing and I feel much safer than running it raw.

Hackbraten4y ago

That should still work.

They didn’t isolate all the Firefox processes from X11. Only the content processes are affected, i.e. the processes whose attack surface is rather massive.

But the content processes are still going to deliver their finished work items to the GPU process for rendering. The GPU process retains all the rights it needs, including talking to X11.

I don't see why you wouldn't still be able to do that. Firefox still uses X11; it's just that the content processes can't directly speak the protocol now, and must go over IPC to a more trusted process to do so.

heavyset_go4y ago

Any reason you're using SSH X forwarding over something like Xpra? It also works over SSH, but lets apps persist even if the SSH connection is broken for whatever reason.

You can even run Firefox via Wayland and forward a persistent XWayland session if that's your cup of tea.

Is this why my Firefox window went black randomly for a few seconds today?

Caspy74y ago

In my experience, most of the time black drawing like that is associated with GPU driver issues.

throwaway_582914y ago

In the common scenario of a single user, on a single user machine, running programs under his uid, the benefit is basically zero.

If such a user wants to run untrusted programs, he'd use a virtual machine anyway.

So, I think it's very easy to overstate the benefit, and your comment did just that.

Scenario: evil.com wants to take advantage of a use-after-free in some DOM API to install a keylogger.

Before X11 isolation, it can: (1) get RCE in content process; (2) send events to your GNOME Shell to open a terminal; (3) send keyboard events to the terminal to download the keylogger, start it, and add it to some config file that makes it start automatically on future logins.

After X11 isolation, it will: (1) get RCE in content process; (2) get stopped because it can't send keyboard/mouse events to other applications anymore.

Wat

I don't think you actually understand what's going on here.

The untrusted programs in this case would be javascript and other exploitable things that firefox interprets every time you visit a webpage. Unless you run firefox itself under a different UID or inside of a VM you are effected by this, regardless of whether you are running other "untrusted" software or not.

Maybe you are thinking that using X11 as an attack vector requires a "bad" program running in addition to firefox? If so, that is not the case, any program that is running on X11 that can execute commands or read and write files could be used for this purpose. A terminal emulator is a pretty good example of such a program.

Well, end user, all your files may be held for crypto ransom, but at least the machine is untouched! Very High Security!

>If such a user wants to run untrusted programs, he'd use a virtual machine anyway.

In your imaginary world. Real users don't know what a VM is and expect their system to be able to run untrusted programs without exposing all of their data. Which they are able to do on most modern systems.

whitepoplar4y ago· 12 in thread

What's the state of browser security these days? Does Chrome still have a lead over Safari and Firefox?

jimrandomh4y ago

Yes, it does, at least if you go by how much money the sketchy vulnerability brokers are offering to pay. On https://zerodium.com/program.html a Chrome RCE+LPE is "Up to $500k", while the other browsers are all less.

weaksauce4y ago

https://gs.statcounter.com/browser-market-share

if you believe those numbers... 64% vs 3% market share. of course something that impacts 64% of the internet will be more valuable.

leoc4y ago

I guess that that partly reflects its greater market share though.

black_puppydog4y ago

Ahhh, the breath of fresh air coming from a truly free market doing what markets do best: processing information in the face of uncertainty to the benefit of all! Don't you feel the soft touch of the invisible hand, gently working to raise the tide of security for all?

/s

A constant stream of newly discovered (but long existing) remote code execution vulnerabilities has been the norm for years and no quick change in sight. Depending on who you ask, catastrophic, or manageable.

staticassertion4y ago

Practically speaking there's probably not a ton of difference. ITW exploits are pretty uncommon for both, and they're typically somewhat targeted. I haven't paid attention in years for this reason, but I'd guess that Chrome is ahead - mitigation techniques like site isolation are quickly improving in it and were adopted earlier as well.

In general my recollection is that Chrome splits up more of its components. It sounds like, based on this post, the gpu process is now separated and there's sandboxing efforts going into that, but I'm pretty sure Chrome has had that for years now.

Firefox has also had this for over 5 years: https://www.mozilla.org/en-US/firefox/53.0a2/releasenotes/

The current mitigations seem to be doubling-down on getting rid of C++ memory safety errors (still the main source of security holes), with Mozilla pulling the Rust and WebAssembly card. So there's some divergence here, rather than parallel paths with one ahead.

trasz4y ago

Does Chrome still require a suid root helper?

rs_rs_rs_rs_rs4y ago

It doesn't and even if it did it would still be a better browser than Firefox security-wise. Google poured a lot of money into it with really good results.

Well looking at this specific feature, I believe chrome got site isolation mid-2018 and enabled it by default mid-2019. From what I can tell Firefox got it mid-2021.

I don't know much about the specifics of the implementations, but that seems like a significant difference for such a crucial security feature, especially post meltdown/spectre.

evmar4y ago

The kind of isolation in the post, where the web content doesn't have access to system resources, was part of the original Chrome release.

(You mentioned site isolation, which is a different feature, but the dates you have look right for that.)

codethief4y ago

Related discussion: https://news.ycombinator.com/item?id=31363974

_wldu4y ago· 7 in thread

I firmly believe that isolation is the future of endpoint security and I like experimenting with Mandatory Access Control (MAC) on Linux. Tomoyo is my favorite major MAC/LSM in the Linux kernel.

If you have a newer kernel (5.13 or greater), you may like to experiment with landlock. It's pretty cool and unlike FireJail, no suid required. Here's a landlock wrapper for Firefox:

https://github.com/62726164/misc/blob/main/go/landlock/firef...

I'd like to learn more about open source/free Windows and MacOS MAC tools. If you know of any, please post about your experience with them.

Edit: This Windows functionality seems similar to seccomp and pledge: https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-...

ThePowerOfFuet4y ago

I believe so too, and Qubes has been a refreshing change along those lines since I started using it. It's not for everyone, but I highly recommend it.

lewantmontreal4y ago

Wow that looks cool. I really want to install apps without entrusting my entire hard drive to them.

_wldu4y ago

Thank you! And, yes, I agree. I don't want FireFox or Chrome reading ~/.ssh or ~/.gnupg or any other directories in my home that it has no business reading.

Maybe one day we'll have web browsers that don't have any C code. Nothing against C. It's a great systems language, but I'd rather my web browser not use it.

Browsing the web is probably the most dangerous thing the average computer user does.

Flatpak does exactly that. You can even fine-tune what folders you give to the app (Flatseal is great for this). xdg-desktop-portal makes things even better: app can only access files that you explicitly choose when prompted - kinda like on iOS.

Unix applications run as a user, so it's not like they have that permission. Looking at that profile, it restricts write access to the home directory to only the Firefox profile and some config files.

I guess that makes sense, but you'd have to be aware of it when uploading and downloading stuff (it would only work from a specific designated folder).

chrisseaton4y ago

> I really want to install apps without entrusting my entire hard drive to them.

This is what macOS enforces - apps live within their containers.

SuperSandro20004y ago

Why is this a go program instead of 10 lines of bash?

ldng4y ago· 6 in thread

Is that what definitively broke uMatrix ?

ComputerGuru4y ago

Extremely unlikely, as uMatrix doesn't do any direct systems programming.

While uMatrix is somewhat broken (lets things through on some "special" refreshes), it's not totally broken. Or am I seeing something else?

computerfriend4y ago

What about uMatrix is broken?

ldng4y ago

It now shows as deactivated by default on every new page

pabs34y ago

uMatrix is unmaintained, I wonder if there is a replacement for it...

ldng4y ago

Not any as efficient that I'm aware of (happy to be proven wrong)

ComputerGuru4y ago· 3 in thread

It's a real shame that platform native widgets had to be sacrificed for this to work. The easy way out was to switch to arbitrary app-drawn widgets across all platforms (which Firefox did for all basic DOM HTML elements); the "we'll do one better" alternative is to use app-drawn imitations of the system-native widgets (a la Qt) which Firefox is now doing for the scrollbar. But no one ever gets these widgets right (unnatural scrolling, non-identical behavior when clicking in the gapped region, different scrollable-to-nonscrollable widget ratios, colors not respecting certain subtle theming choices, etc, etc.

I wonder if there was an alternative specifically for the scrollbar here - some way of obtaining an outer "shell" (via win32k, but then basically "orphaning" it so that you can't do anything besides kill it when you're finished) that just provides the window with an empty scrollable element that is then populated by the restricted process.

That ship has really sailed though; I think the days of native widgets are quickly coming to an end.

chrisseaton4y ago

The OS should provide a safe API for how to draw native widgets and how they behave. Then you can draw your own anywhere.

There already is a safe API with Wayland + some sandboxing layer. Problem is for the longest time the Nvidia drivers didn't work with Wayland. They now do so the reasons to use X11 become vanishingly small.

kevingadd4y ago

fwiw, Windows does have an API (called uxtheme, I believe) that you can use to draw native widgets.

Dwedit4y ago· 2 in thread

So here we have a feature of Windows 8/10, which prevents the system calls of Win32U/Win32K from being called.

When you write a Windows program, you call APIs from User32.dll, GDI32.dll, and Kernel32.dll. Those are the user mode libraries, and the main entry point to call the Windows API functions.

What's actually inside of those? User32 and GDI32 are pretty much stubs. Mostly, they have a small amount of code, then proceed to call functions in Win32U.dll. Then Win32U.dll makes system calls, causing Win32k (Kernel Mode) to carry out the functions. So everything from BeginPaint to GetWindowText is going to be a system call that's placed from within Win32U, then handled by Win32K.

Meanwhile, Kernel32.dll is a user-mode library (despite the name being "kernel32"), which mostly makes calls to NTDLL.dll. Then NTDLL makes system calls that get handled by kernel-mode components.

The isolation thing that Mozilla is using here does not stop the NTDLL system calls that Kernel32.dll uses, just the calls to Win32U/Win32K (GDI32.dll and User32.dll). So there needs to be other mitigation methods in place for the Kernel32/NTDLL stuff, such as reduced user privileges.

But preventing all the Win32U/Win32K stuff from being called does greatly reduce the attack surface.

Just to be clear: a ton of kernel32 stuff was already locked down prior to win32k being shut off. (I used to work on the author’s team)

Dwedit4y ago

How does the Kernel32 lock-down stuff work?

I can think of several things you could do to Kernel32 to try to lock it down:

* Patch out all the entry points of Kernel32 you don't want to be used. Then patch out their corresponding entry points out of NTDLL. Then remove the code that invokes the system calls inside of NTDLL. Yes, you can just simply overwrite user mode code willy-nilly as long as you have write access to the process memory.

(Regular programs use the entry points. Someone trying to do something fancy might skip the entry points. If your hackers are using things like ROP chains and gadgets, chances are they don't care about entry points.)

* Create some kind of NT security context so that nothing interesting works anymore. I don't know how this works, but many NT functions want a security context passed in.

* When you are executing code, and you have no idea where Kernel32 is, you can read the module list out of the TEB, and that finds you Kernel32 and NTDLL. Maybe something that could thwart that, but not break code.

In the end though, what could stop the process from attempting to SYSENTER from somewhere besides NTDLL?

gernb4y ago· 2 in thread

Maybe I'll finally be able to consider Firefox secure as Chrome by design instead of just praying. It's been a 14 years

aaaaaaaaata4y ago

You've got years more to wait, I'm afraid.

notriddle4y ago

What's remaining?

Linux / X11 arch and monolithic desktop arch in general will never suffice if endpoint security matters (for multi app desktop envs)

I'm so glad they're working on this instead of unimportant minutiae like copy/cut frequently outright refusing to deposit its contents in the system clipboard on all three major platforms, or the browser simply freezing for up to ten minutes after the system wakes up from sleep while it syncs all changes made since then.

brian_herman4y ago

Nice job firefox team!

Process isolation improvement never ends. Firefox 100, FF 1000, FF Universe... will be improved and hacked again. Why?

j / k navigate · click thread line to collapse