News, news analysis, and commentary on the latest trends in cybersecurity technology.

New Firefox Sandbox Isolates Third-Party Libraries

RLBox can be used to protect web browsers and other software applications from vulnerabilities in subcomponents and libraries.

Empty window in the Firefox browser.

The latest version of Mozilla’s Firefox browser comes with a new security feature designed to protect users from web attacks targeting vulnerabilities in third-party libraries.

Modern browsers run sites and applications in sandboxed processes to protect from malicious code that may try to hijack the browser or target other applications running on the system. However, attackers regularly chain multiple vulnerabilities together to escape the browser sandbox and compromise the underlying device.

RLBox extends the sandbox concept and isolates the browser’s subcomponents – third party-libraries used by Firefox - inside a fine-grained software sandbox, Mozilla says. This way, potentially untrusted code is kept where it can’t cause much damage to the browser. Intended to complement existing protections, the feature is being rolled out with support for isolating the modules for Graphite font rendering engine, Hunsell spell checker, Ogg multimedia container format, Expant XML parser, and Woff2 web font compression format.

"Going forward, we can treat these modules as untrusted code, and — assuming we did it right — even a zero-day vulnerability in any of them should pose no threat to Firefox," Bobby Holley, a distinguished engineer at Mozilla working in the office of the Firefox CTO on technical strategy and coordination, writes on the Mozilla Hacks blog.

The new sandboxing technology, which relies on WebAssembly, was developed in collaboration with academics at the University of California San Diego and University of Texas. As it is a standalone project designed to be modular, Holley hopes other browsers and software projects would adopt RLBox to "make the ecosystem safer."

"RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream," Holley writes.

RLBox works by first compiling code into WebAssembly and then compiles it again into native code. Using WebAssembly as an intermediate build step restricts the code’s access to system memory and confines it to a specified memory region, preventing it from jumping to unexpected party of the program. This means the developer just has to sanitize values coming out of the sandbox to make sure they are not maliciously crafted.

"Together, these restrictions make it safe to share an address space (including the stack) between trusted and untrusted code, allowing us to run them in the same process largely as we were doing before," Holley writes.

While Mozilla plans to add more components to the list, RLBox can’t protect every Firefox component.

"Some components are not a good fit for this approach — either because they depend too much on sharing memory with the rest of the program, or because they’re too performance-sensitive to accept the modest overhead incurred," Holley warns.

Also in Firefox 95, Mozilla enabled Site Isolation for all users to help protect against side-channel attacks like Spectre. Site isolation aims to improve privacy and security by separating content and loading each site in its own operating system process. This way, malicious sites are prevented from accessing sensitive information from other sites running in the browser.

About the Author(s)

Fahmida Y. Rashid, Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights