canmove, Confirmed users
1,220
edits
Security/Sandbox/Hardening: Difference between revisions
→Web Content (HTML, CSS, XML, SVG)
Ptheriault (talk | contribs) |
Ptheriault (talk | contribs) |
||
| (12 intermediate revisions by 2 users not shown) | |||
| Line 42: | Line 42: | ||
In the section below “content process” refers the “Web Content Process” unless otherwise specified. | In the section below “content process” refers the “Web Content Process” unless otherwise specified. | ||
===File access=== | ===File access=== | ||
'''Threats''' | '''Threats'''<br> | ||
Compromised child process read or modifies user data or systems files. Arbitrary file write is equivalent to arbitrary code execution. | Compromised child process read or modifies user data or systems files. Arbitrary file write is equivalent to arbitrary code execution. | ||
'''Objectives''' | '''Objectives'''<br> | ||
Protect user data and sensitive configuration file in the event of a compromised content process. By default the sandbox should block access to files in the content process, and any necessary exceptions (e.g. reading program files, writing temp file etc) must be mediated by the Chrome process. | Protect user data and sensitive configuration file in the event of a compromised content process. By default the sandbox should block access to files in the content process, and any necessary exceptions (e.g. reading program files, writing temp file etc) must be mediated by the Chrome process. | ||
'''Controls''' | '''Controls'''<br> | ||
On all platforms, access to the filesystem is mediated by a file broker running the Chrome process. | On all platforms, access to the filesystem is mediated by a file broker running the Chrome process. | ||
| Line 64: | Line 64: | ||
The GMP process has no access to file system at all. | The GMP process has no access to file system at all. | ||
'''Open Issues''' | '''Open Issues'''<br> | ||
# The file content process is currently allowed to access remote content, and this is likely to remain as conceptually locally hosted webpages may legally request remote resources. A remote attacker able to coerce the browser to initiate the File Content process to load a nested resource such as iframe, would be able to bypass the file read restrictions of the Web Content Sandbox. We need to ensure that this is not possible. | # The file content process is currently allowed to access remote content, and this is likely to remain as conceptually locally hosted webpages may legally request remote resources. A remote attacker able to coerce the browser to initiate the File Content process to load a nested resource such as iframe, would be able to bypass the file read restrictions of the Web Content Sandbox. We need to ensure that this is not possible. | ||
# What is the file access policy for the WebExtension process? Can we increase restrictions of the content process sandbox post-depreciation of old-style addons? | # What is the file access policy for the WebExtension process? Can we increase restrictions of the content process sandbox post-depreciation of old-style addons? | ||
| Line 71: | Line 71: | ||
Network architecture is already such that low-level connectivity and security decisions are implemented in the parent process. For detail, see [Necko:_Electrolysis_design_and_subprojects]. This gives us a strong basis to enforce security rules on network traffic. | Network architecture is already such that low-level connectivity and security decisions are implemented in the parent process. For detail, see [Necko:_Electrolysis_design_and_subprojects]. This gives us a strong basis to enforce security rules on network traffic. | ||
'''Threats''' | '''Threats'''<br> | ||
Attack local system services or connect to resources behind firewalls. | Attack local system services or connect to resources behind firewalls. | ||
De-anonymise VPN users? | De-anonymise VPN users? | ||
'''Objectives''' | '''Objectives'''<br> | ||
* Direct network access is prohibited in the content process | * Direct network access is prohibited in the content process | ||
* All network access is provided through the chrome process | * All network access is provided through the chrome process | ||
* Global network restrictions (e.g. no connections to low numbered TCP ports) should be enforced in the Chrome process | * Global network restrictions (e.g. no connections to low numbered TCP ports) should be enforced in the Chrome process | ||
'''Control''' | '''Control'''<br> | ||
* Necko is remoted such that all access is performed through the content process | * Necko is remoted such that all access is performed through the content process | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
* Access to low ports could & should be restricted? Do we do this already? | * Access to low ports could & should be restricted? Do we do this already? | ||
* Does all network access go through the parent (via necko)? If not, what connection are directly initiated from the child? | * Does all network access go through the parent (via necko)? If not, what connection are directly initiated from the child? | ||
* Where do origin checks occur? For example, what happens if a web resource redirects to a file:// resource? | * Where do origin checks occur? For example, what happens if a web resource redirects to a file:// resource? | ||
** Where to network security checks happen in general? | |||
* Can a compromised content process make network connections that subvert Firefox network settings (e.g.can sandbox prevent de-anonymization attacks)? | * Can a compromised content process make network connections that subvert Firefox network settings (e.g.can sandbox prevent de-anonymization attacks)? | ||
| Line 95: | Line 95: | ||
The main consequence of this architecture is that the content process talks to the GPU directly, and subsequently needs access to low-level APIs to facilitate this communication. While there are plans to move compositing from the parent process to a separate GPU process (roughly FF53), the focus of this project is to improve stability and is not expected to meaningfully reduce the privileges required in the child process. | The main consequence of this architecture is that the content process talks to the GPU directly, and subsequently needs access to low-level APIs to facilitate this communication. While there are plans to move compositing from the parent process to a separate GPU process (roughly FF53), the focus of this project is to improve stability and is not expected to meaningfully reduce the privileges required in the child process. | ||
'''Out-of-process Compositor (aka GPU Process)''' | '''Out-of-process Compositor (aka GPU Process)'''<br> | ||
* Plan to move compositor from parent to separate process (roughly FF53) | * Plan to move compositor from parent to separate process (roughly FF53) | ||
* Largely would not affect sandboxing efforts, as child still requires access to the GPU. One benefit may be that on Windows, window handles (HWND) would not be required in the child process | * Largely would not affect sandboxing efforts, as child still requires access to the GPU. One benefit may be that on Windows, window handles (HWND) would not be required in the child process | ||
| Line 102: | Line 102: | ||
* GPU process will benefit linux greatly because it will move the X11 connection to the GPU process (instead of the child) | * GPU process will benefit linux greatly because it will move the X11 connection to the GPU process (instead of the child) | ||
'''Threats''' | '''Threats'''<br> | ||
* Historically graphics system calls have been common privilege escalation path (e.g. GDI on windows) | * Historically graphics system calls have been common privilege escalation path (e.g. GDI on windows) | ||
* Access to X on linux is significant attack service and direct security threat | * Access to X on linux is significant attack service and direct security threat | ||
'''Objectives''' | '''Objectives'''<br> | ||
* Reduce attack surface from content process | * Reduce attack surface from content process | ||
* Allow stronger windows sandbox levels by reducing necessary syscalls in content process | * Allow stronger windows sandbox levels by reducing necessary syscalls in content process | ||
'''Controls''' | '''Controls'''<br> | ||
* tbd | * tbd | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
* Communication with GPU limits the restrictions that can be placed on child process | * Communication with GPU limits the restrictions that can be placed on child process | ||
** Windows: access to GPU prevents the use of the Untrusted integrity level sandbox | |||
** OSX: To be investigated | |||
** Linux: To be investigated | |||
* IPC code (IPDL & shared memory) represents an attack surface which needs to be hardened to ensure resilience to privilege escalation attacks | * IPC code (IPDL & shared memory) represents an attack surface which needs to be hardened to ensure resilience to privilege escalation attacks | ||
* No plans yet to sandbox Compositor process | * No plans yet to sandbox Compositor process | ||
* Will Quantum render afford opportunities to limit attack surface (e.g. can we ban windows GDI usage in content process)? | * Will Quantum render afford opportunities to limit attack surface (e.g. can we ban windows GDI usage in content process)? | ||
===DOM=== | ===DOM=== | ||
'''Threats''' | '''Threats'''<br> | ||
* Privilege escalation through implementation bugs | * Privilege escalation through implementation bugs | ||
* Broken security model allows sandbox bypass | * Broken security model allows sandbox bypass | ||
'''Objectives''' | '''Objectives'''<br> | ||
Dom API have chrome and content components. Need to ensure that security model for DOM APIs respects sandbox (ie all security decisions, permission checks etc must be performed in the parent). | Dom API have chrome and content components. Need to ensure that security model for DOM APIs respects sandbox (ie all security decisions, permission checks etc must be performed in the parent). | ||
'''Controls''' | '''Controls'''<br> | ||
* tbd | * tbd | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
* Audit of DOM API IPC underway | * Audit of DOM API IPC underway | ||
===Script Execution=== | ===Script Execution=== | ||
'''Threats''' | '''Threats'''<br> | ||
* JS engine presents the | * JS engine presents the large attack surface | ||
Objectives | '''Objectives''' <br> | ||
TDB | |||
'''Controls'''<br> | |||
TDB | |||
'''Open Question''' | '''Open Question'''<br> | ||
* What JS code is | * What JS code is executed in the Chrome process? | ||
* Parent | * Parent | ||
** Firefox UI | ** Firefox UI | ||
| Line 156: | Line 157: | ||
** Js implemented web apis | ** Js implemented web apis | ||
** Web content | ** Web content | ||
* Parts of service workers are currently executed in the parent. | |||
* Parts of service workers are currently executed in the parent. | |||
=== Web Content (HTML, CSS, XML, SVG) === | === Web Content (HTML, CSS, XML, SVG) === | ||
'''Objective''' | '''Objective'''<br> | ||
All parsing and execution of untrusted content to be performed in the child | All parsing and execution of untrusted content to be performed in the child | ||
'''Controls''' | '''Controls'''<br> | ||
See bug https://bugzilla.mozilla.org/show_bug.cgi?id=1305331 | |||
'''Open Questions''' | '''Open Questions'''<br> | ||
=== Printing & Fonts === | === Printing & Fonts === | ||
| Line 178: | Line 175: | ||
Played back in the parent | Played back in the parent | ||
'''Objective''' | '''Objective'''<br> | ||
* Strategy is to trigger printing from the parent, not the child. | * Strategy is to trigger printing from the parent, not the child. | ||
* How is data passed from child to parent? (shared memory, files? ) | * How is data passed from child to parent? (shared memory, files? ) | ||
| Line 186: | Line 183: | ||
=== TLS Stack === | === TLS Stack === | ||
'''Threats''' | '''Threats'''<br> | ||
* Attacking NSS code | * Attacking NSS code | ||
* Putting fake certs/creds etc in the trust store | * Putting fake certs/creds etc in the trust store | ||
* Direct file access to steal keys e.g. client certs? | * Direct file access to steal keys e.g. client certs? | ||
'''Objectives''' | '''Objectives'''<br> | ||
* Content process should not be able to modify certificate database (add certs, exceptions etc) | * Content process should not be able to modify certificate database (add certs, exceptions etc) | ||
* | * | ||
'''Controls''' | '''Controls'''<br> | ||
* nsISiteSecurityService (security/manager/ssl/nsISiteSecurityService.idl) deals with HPKP/HSTS | * nsISiteSecurityService (security/manager/ssl/nsISiteSecurityService.idl) deals with HPKP/HSTS | ||
** Underlying DataStorage checks to see if we are in the parent process before reading/writing, if in the child, asks parent to read/write, so for this we should be able to exclude the HPKP/HSTS database from read/write in child. Child needs to do this in order to alter entries based on headers. | ** Underlying DataStorage checks to see if we are in the parent process before reading/writing, if in the child, asks parent to read/write, so for this we should be able to exclude the HPKP/HSTS database from read/write in child. Child needs to do this in order to alter entries based on headers. | ||
| Line 206: | Line 203: | ||
Note: sandbox can not restrict access to web crypto (child can load any origin, so can load any origin’s data) | Note: sandbox can not restrict access to web crypto (child can load any origin, so can load any origin’s data) | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
* Is PSM remoted securely? How are certificate exceptions handled? | * Is PSM remoted securely? How are certificate exceptions handled? | ||
* Check where the following: | * Check where the following: | ||
* HSTS | * HSTS | ||
** DoS | |||
** Child can alter entries in HSTS cache. The child must in order to process headers. See above. The child probably doesn’t have to do this, but likely can. | |||
* Key Pinning | |||
** Pin a malicious certificate to bypass protection | |||
** As above | |||
* <keygen> happens in the child, going away hopefully? | * <keygen> happens in the child, going away hopefully? | ||
* Client certificate UI? | * Client certificate UI? | ||
=== DevTools === | === DevTools === | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
* What is the process model? | * What is the process model? | ||
** What is in parent vs child? | |||
** What IPC mechanisms | |||
*** Sockets etc | |||
===Addons=== | ===Addons=== | ||
| Line 230: | Line 227: | ||
=== WebRTC=== | === WebRTC=== | ||
'''Threats''' | '''Threats'''<br> | ||
* Unauthorized camera and microphone access | * Unauthorized camera and microphone access | ||
* Eavesdropping on existing connections | * Eavesdropping on existing connections | ||
* Raw socket connections | * Raw socket connections | ||
'''Objectives''' | '''Objectives'''<br> | ||
Camera/Microphone | Camera/Microphone | ||
* Requests for camera and microphone mediated by the Chrome process | * Requests for camera and microphone mediated by the Chrome process | ||
** Chrome code controls the prompt, which displays the origin of the requester to the user | |||
** Content process can lie about its origin, but user still has to approve (i.e. content process can only use the camera without user permission, if it can guess an origin that has been pre-granted access) | |||
* Camera/Microphone indicators must always be shown (content process shouldnt be able to hide them) | * Camera/Microphone indicators must always be shown (content process shouldnt be able to hide them) | ||
Network Connectivity | Network Connectivity | ||
'''Controls''' | '''Controls'''<br> | ||
Camera/Microphone | Camera/Microphone | ||
https://bugzilla.mozilla.org/show_bug.cgi?id=1177242 | https://bugzilla.mozilla.org/show_bug.cgi?id=1177242 | ||
| Line 251: | Line 248: | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
* What other threats exist with WebRTC and the sandbox | * What other threats exist with WebRTC and the sandbox | ||
** Socket Connectivity | ** Socket Connectivity | ||
| Line 257: | Line 254: | ||
===Media Playback=== | ===Media Playback=== | ||
'''Threats''' | '''Threats'''<br> | ||
* Mainly just attack surface for priv esc? | * Mainly just attack surface for priv esc? | ||
'''Objectives''' | '''Objectives'''<br> | ||
* Support media playback while minimizing attack surface | * Support media playback while minimizing attack surface | ||
* Remote audio to the parent to minimise syscalls necessary in the child (allowing tighter sandbox restrictions) | * Remote audio to the parent to minimise syscalls necessary in the child (allowing tighter sandbox restrictions) | ||
'''Controls''' | '''Controls'''<br> | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
* Linux? | * Linux? | ||
** Libcubeb - Audio interfacehttps://dxr.mozilla.org/mozilla-central/source/media/libcubeb/src/cubeb-internal.h#14 | |||
** Loaded in the child | |||
** Strategy: remote the audio to the parent | |||
* Mac | * Mac | ||
** CoreAudio | |||
** Microphone | |||
*** Remove access from the child | |||
*** Access only via remote functions | |||
=== Firefox Preferences === | === Firefox Preferences === | ||
'''Threats''' | '''Threats'''<br> | ||
* Ability to change arbitrary preferences is equivalent to code execution | * Ability to change arbitrary preferences is equivalent to code execution | ||
'''Objectives''' | '''Objectives'''<br> | ||
* Restrict access to preferences in the content process to an absolute minimum | * Restrict access to preferences in the content process to an absolute minimum | ||
'''Controls''' | '''Controls'''<br> | ||
* Whitelist of prefs which child can write to | * Whitelist of prefs which child can write to | ||
* Can only simple prefs | * Can only simple prefs | ||
* Actual prefs live in parent | * Actual prefs live in parent | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
=== Printing === | === Printing === | ||
'''Threats''' | '''Threats'''<br> | ||
* System calls involved in printing is historically dangerous attack surface for kernel privilege escalation | * System calls involved in printing is historically dangerous attack surface for kernel privilege escalation | ||
Objectives | Objectives | ||
* Remote access to the parent to minimize access to the parent | * Remote access to the parent to minimize access to the parent | ||
'''Controls''' | '''Controls'''<br> | ||
Printing pages are remoted to the parent: the content process serializes the document to the parent which interprets it. | Printing pages are remoted to the parent: the content process serializes the document to the parent which interprets it. | ||
| Line 304: | Line 301: | ||
=== Other things: Places, History & Bookmarks etc? === | === Other things: Places, History & Bookmarks etc? === | ||
'''Threats''' | '''Threats'''<br> | ||
* Implementation of the remoting of this functionality presents privilege escalation attack surfce | * Implementation of the remoting of this functionality presents privilege escalation attack surfce | ||
* Read bookmarks in content process | * Read bookmarks in content process | ||
'''Objectives''' | '''Objectives'''<br> | ||
* Content process should not be able to read bookmarks? | * Content process should not be able to read bookmarks? | ||
* We can’t restrict access to history since this is needed to display web content? | * We can’t restrict access to history since this is needed to display web content? | ||
* Ensure security model for these components are safe | * Ensure security model for these components are safe | ||
'''Controls''' | '''Controls'''<br> | ||
tbd | tbd | ||
'''Open Questions''' | '''Open Questions'''<br> | ||
* What other things fall into the same category (is there a better name for this?) | * What other things fall into the same category (is there a better name for this?) | ||