Necko: Sandboxing TCP/UDP socket in a separate process: Difference between revisions
Jump to navigation
Jump to search
(→Sandboxing: update requirement for sandboxing) |
(add TODOs section) |
||
| Line 37: | Line 37: | ||
=== Override Certificate === | === Override Certificate === | ||
=== NTLM === | === NTLM === | ||
== TODOs == | |||
* hook ProcessHangMonitor | |||
* hook CrashReporter | |||
* hook MemoryPresure | |||
* hook MemoryReporter | |||
* ensure Telemetry works | |||
* ensure MOZ_LOG works | |||
* remove XPCOM and support only C++ implementation | |||
Revision as of 09:46, 16 November 2017
Objectives
Move all the network and socket operations to an isolated process.
Goals
- For security
- Sandboxing network access into a separate process, preventing chrome process from opening socket
- Preventing protocol security hole to be used to control the entire browser
- For stability
- Allow recovering network layer without rebooting firefox, if crash/assertion is detected in the socket process
- For performance
- No major regression found for start-up performance and network throughput
Requirements
HTTP Channel
FTP Channel
TCP Socket
UDP Socket
DNS
Cache
Proxy
WebSocket
WebRTC
NSS
PKI/PKIX
Sandboxing
- Chrome process is still the only secure zone. Every IPC interface received at Chrome process should be audited
- IPC to content process or socket process should at least do sanity check in the receiver side
- Better not providing interface to create arbitrary TCP/UDP connection
Design
Architecture
IPDL
Start-up Procedure
Create HTTP Channel
Create WebRTC Channel
Update Preference
Override Certificate
NTLM
TODOs
- hook ProcessHangMonitor
- hook CrashReporter
- hook MemoryPresure
- hook MemoryReporter
- ensure Telemetry works
- ensure MOZ_LOG works
- remove XPCOM and support only C++ implementation