Mozilla 2/Protected mode
Owners
Jim Mathies / Rob Strong
Status
- Feature tracking bug
Overview and Motivations
Integrity is a new Windows security concept introduced with Windows Vista. Securable objects within the system, including applications and their associated windows, directories and files, and registry keys, are associated with one of a limited set of integrity levels. These integrity restrictions are independent of user level security restrictions.
In general, Integrity applies the general rule of "no write-up", implying objects with lower integrity do not have write access to objects with a higher level. In addition, objects running at much lower integrity levels often have "no read-up" rules applied as well which restrict access completely.
Firefox 2.0 currently runs at the default "medium" integrity level. The goal is to add support for running at both low and medium integrity without adversly effecting the browser's usability or user experience.
Three broad goals summarize the work required:
- Research into the areas of the Fx codebase that will be affected in some way.
- Add support for an exe launch shim ("broker") for Firefox which will facilitate better OS integration, including better, more secure protocol handling, application startup, and a more reliable DDE interface.
- Augment the functionality of the broker so that Firefox can interact with the system while running at a low integrity level.
Potential Areas Affected / Issues
- application registration with the system
- dde implementation
- product updates
- installer
- helper and protocol handler app services involving launching of 3rd party apps
- directory services (default locations)
- general file access - write access restrictions to %userprofile%\AppData\LocalLow
- profile management
- drag and drop
- copy paste
- registry access
- COM interfacing
- Windows api restrictions - api that communicate with objects of a higher integrity level. (cert, crypt, theming, networking, os settings)
- Security Zone Policy settings - Internet Explorer's broker makes decisions as to what integrity level a particular URL should execute within. Intranet and local resources are launched in a seperate medium level process. Whether or not Firefox must support similar decision making and functionality is unknown at this point.
Schedule and Milestones
It's hard to say at this point how long (or even how possible) protected mode is. The first work required is research and testing, followed by the implementation of a basic broker shim aimed at better OS integration. Conservatively this might land for Fx 3.1, with full support for running under protected mode landing in Fx 4.0. We might get farther for Fx 3.1 depending on how much work is involved. The shim should definitely land and be well tested before protected mode support is added.