Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Framework Isolates Libraries in Firefox to Improve Security

A group of researchers has built a sandbox framework that can improve the security of Firefox by isolating third-party libraries used by the browser.

A group of researchers has built a sandbox framework that can improve the security of Firefox by isolating third-party libraries used by the browser.

Similar to other major browsers, Firefox relies on third-party libraries to render content — such as audio, video, and images — and these libraries often introduce additional vulnerabilities, researchers from the University of California San Diego, University of Texas at Austin, Stanford University and Mozilla say.

To mitigate the issue, the researchers came up with RLBox, a framework that supports sandboxing through either software-based fault isolation or multi-core process isolation, and which is meant to help Firefox run untrusted code.

The proposed architecture isolates libraries in lightweight sandboxes, with “modest and transient” performance overheads (minor impact on page latency), thus reducing the impact of potential compromise.

RLBox, the researchers say, mediates data flow and control flow to automate security checks, minimize renderer change, efficiently share data structures, simplify migration, and bridge machine models.

The general-purpose library-sandboxing framework has already been implemented in production Firefox, to isolate the libGraphite font shaping library, using a WebAssembly sandbox.

“Our retrofitted Firefox successfully tested on both the Firefox Nightly and Beta channels, and ships in stock Firefox 74 to Linux users and in Firefox 75 to Mac users,” the researchers note in a whitepaper (PDF).

RLBox “leverages the C++ type system to enforce safe data and control flow, and enables an incremental compiler-driven approach to migrating code to a sandboxed architecture.”

The framework, the researchers argue, can significantly ease the burden of securely sandboxing libraries in existing code. Furthermore, since it does not depend on Firefox, RLBox could be used as a sandboxing framework for other C++ applications as well.

The researchers have released the RLBox library, along with the modified builds and benchmarks, in open source. The production-ready RLBox and Wasm-based sandbox were released as well.

“Third party libraries are likely to remain a significant source of critical browser vulnerabilities. Our approach to sandboxing code at the library-renderer interface offers a practical path to mitigating this threat in Firefox, and other browsers as well,” the researchers conclude.

Related: Firefox Gets DNS-over-HTTPS as Default in U.S.

Related: Firefox 74 Will Disable TLS 1.0 and TLS 1.1 by Default

Related: Mozilla Patches Firefox Zero-Day Exploited in Targeted Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.