Features/Security/Low rights Firefox

From MozillaWiki
< Features
Revision as of 19:36, 18 July 2012 by Imelven (talk | contribs)
Jump to navigation Jump to search
Please use "Edit with form" above to edit this page.

Status

Low-rights Firefox (whole process sandbox)
Stage Draft
Status `
Release target `
Health OK
Status note `

{{#set:Feature name=Low-rights Firefox (whole process sandbox)

|Feature stage=Draft |Feature status=` |Feature version=` |Feature health=OK |Feature status note=` }}

Team

Product manager Lucas Adamski
Directly Responsible Individual Ian Melven
Lead engineer Marshall Moutenot
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members `

{{#set:Feature product manager=Lucas Adamski

|Feature feature manager=Ian Melven |Feature lead engineer=Marshall Moutenot |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}

Open issues/risks

  • Can't sandbox plugins without their cooperation (they will crash)
  • Binary add-ons would probably crash
  • Significant percentage of XPCOM add-ons would likely need updating (should be quantified)
  • Need a broker for certain operations (filesystem, some networking, device access, maybe WebGL and some audio/video)

Stage 1: Definition

1. Feature overview

As Electrolysis (e10s) is current shelved, we could obtain a lot of security benefit from implementing a simpler whole-process sandbox by reducing the runtime privileges of the entire Firefox process.

2. Users & use cases

`

3. Dependencies

Related bugs

Other references

4. Requirements

To obtain security benefits this would need to prevent persistent compromise of the local system. In addition it would be desirable to prevent transient (read) compromise of the local system.

Non-goals

  • Cross-domain and other intra-browser attacks (browsing history, passwords, cookies, etc) will not be mitigated.
  • Plugins are not affected as they cannot be run in low rights without their cooperation (ie. code changes)

Stage 2: Design

5. Functional specification

`

6. User experience design

`

Stage 3: Planning

7. Implementation plan

`

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

`

Stage 5: Release

10. Landing criteria

` {{#set:Feature open issues and risks=* Can't sandbox plugins without their cooperation (they will crash)

  • Binary add-ons would probably crash
  • Significant percentage of XPCOM add-ons would likely need updating (should be quantified)
  • Need a broker for certain operations (filesystem, some networking, device access, maybe WebGL and some audio/video)

|Feature overview=As Electrolysis (e10s) is current shelved, we could obtain a lot of security benefit from implementing a simpler whole-process sandbox by reducing the runtime privileges of the entire Firefox process. |Feature users and use cases=` |Feature dependencies=Related bugs

Other references

|Feature requirements=To obtain security benefits this would need to prevent persistent compromise of the local system. In addition it would be desirable to prevent transient (read) compromise of the local system. |Feature non-goals=*Cross-domain and other intra-browser attacks (browsing history, passwords, cookies, etc) will not be mitigated.

  • Plugins are not affected as they cannot be run in low rights without their cooperation (ie. code changes)

|Feature functional spec=` |Feature ux design=` |Feature implementation plan=` |Feature security review=` |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=` |Feature implementation notes=` |Feature landing criteria=` }}

Feature details

Priority P1
Rank 999
Theme / Goal Product Hardening
Roadmap Security
Secondary roadmap Firefox Desktop
Feature list Desktop
Project `
Engineering team Security

{{#set:Feature priority=P1

|Feature rank=999 |Feature theme=Product Hardening |Feature roadmap=Security |Feature secondary roadmap=Firefox Desktop |Feature list=Desktop |Feature project=` |Feature engineering team=Security }}

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `

{{#set:Feature products status=`

|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}


Retrieved from "https://wiki.allizom.org/index.php?title=Features/Security/Low_rights_Firefox&oldid=452227"