Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Framework Isolates Libraries in Firefox to Improve Security

A group of researchers has built a sandbox framework that can improve the security of Firefox by isolating third-party libraries used by the browser.

A group of researchers has built a sandbox framework that can improve the security of Firefox by isolating third-party libraries used by the browser.

Similar to other major browsers, Firefox relies on third-party libraries to render content — such as audio, video, and images — and these libraries often introduce additional vulnerabilities, researchers from the University of California San Diego, University of Texas at Austin, Stanford University and Mozilla say.

To mitigate the issue, the researchers came up with RLBox, a framework that supports sandboxing through either software-based fault isolation or multi-core process isolation, and which is meant to help Firefox run untrusted code.

The proposed architecture isolates libraries in lightweight sandboxes, with “modest and transient” performance overheads (minor impact on page latency), thus reducing the impact of potential compromise.

RLBox, the researchers say, mediates data flow and control flow to automate security checks, minimize renderer change, efficiently share data structures, simplify migration, and bridge machine models.

The general-purpose library-sandboxing framework has already been implemented in production Firefox, to isolate the libGraphite font shaping library, using a WebAssembly sandbox.

“Our retrofitted Firefox successfully tested on both the Firefox Nightly and Beta channels, and ships in stock Firefox 74 to Linux users and in Firefox 75 to Mac users,” the researchers note in a whitepaper (PDF).

RLBox “leverages the C++ type system to enforce safe data and control flow, and enables an incremental compiler-driven approach to migrating code to a sandboxed architecture.”

Advertisement. Scroll to continue reading.

The framework, the researchers argue, can significantly ease the burden of securely sandboxing libraries in existing code. Furthermore, since it does not depend on Firefox, RLBox could be used as a sandboxing framework for other C++ applications as well.

The researchers have released the RLBox library, along with the modified builds and benchmarks, in open source. The production-ready RLBox and Wasm-based sandbox were released as well.

“Third party libraries are likely to remain a significant source of critical browser vulnerabilities. Our approach to sandboxing code at the library-renderer interface offers a practical path to mitigating this threat in Firefox, and other browsers as well,” the researchers conclude.

Related: Firefox Gets DNS-over-HTTPS as Default in U.S.

Related: Firefox 74 Will Disable TLS 1.0 and TLS 1.1 by Default

Related: Mozilla Patches Firefox Zero-Day Exploited in Targeted Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.