The latest version of Mozilla’s Firefox browser comes with a new security feature designed to protect users from web attacks targeting vulnerabilities in third-party libraries.
Modern browsers run sites and applications in sandboxed processes to protect from malicious code that may try to hijack the browser or target other applications running on the system. However, attackers regularly chain multiple vulnerabilities together to escape the browser sandbox and compromise the underlying device.
RLBox extends the sandbox concept and isolates the browser’s subcomponents – third party-libraries used by Firefox - inside a fine-grained software sandbox, Mozilla says. This way, potentially untrusted code is kept where it can’t cause much damage to the browser. Intended to complement existing protections, the feature is being rolled out with support for isolating the modules for Graphite font rendering engine, Hunsell spell checker, Ogg multimedia container format, Expant XML parser, and Woff2 web font compression format.
"Going forward, we can treat these modules as untrusted code, and — assuming we did it right — even a zero-day vulnerability in any of them should pose no threat to Firefox," Bobby Holley, a distinguished engineer at Mozilla working in the office of the Firefox CTO on technical strategy and coordination, writes on the Mozilla Hacks blog.
The new sandboxing technology, which relies on WebAssembly, was developed in collaboration with academics at the University of California San Diego and University of Texas. As it is a standalone project designed to be modular, Holley hopes other browsers and software projects would adopt RLBox to "make the ecosystem safer."
"RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream," Holley writes.
RLBox works by first compiling code into WebAssembly and then compiles it again into native code. Using WebAssembly as an intermediate build step restricts the code’s access to system memory and confines it to a specified memory region, preventing it from jumping to unexpected party of the program. This means the developer just has to sanitize values coming out of the sandbox to make sure they are not maliciously crafted.
"Together, these restrictions make it safe to share an address space (including the stack) between trusted and untrusted code, allowing us to run them in the same process largely as we were doing before," Holley writes.
While Mozilla plans to add more components to the list, RLBox can’t protect every Firefox component.
"Some components are not a good fit for this approach — either because they depend too much on sharing memory with the rest of the program, or because they’re too performance-sensitive to accept the modest overhead incurred," Holley warns.
Also in Firefox 95, Mozilla enabled Site Isolation for all users to help protect against side-channel attacks like Spectre. Site isolation aims to improve privacy and security by separating content and loading each site in its own operating system process. This way, malicious sites are prevented from accessing sensitive information from other sites running in the browser.