Security/ProcessIsolation

From MozillaWiki
Jump to: navigation, search

Process isolation is designed to separate Firefox into multiple processes, each with the least amount of privilege necessary. In doing so, the potential damage for a large number of Firefox vulnerabilities can be reduced.

Project Goals

Reduce the damage for various types of vulnerabilities within Firefox. This is a defense in depth measure.

We will do so by:

  • identifying high level of categories of threats that we could address via process isolation
  • determining the architectural implications of mitigating each category
  • selecting a threat model and architecture that will address it, and prototyping it
  • determining whether the chosen model is actually feasible within the current Gecko architecture
  • implementation roadmap
  • implement it

Roadmap

  • Put together a team of people willing to put in a sustained effort on process isolation design and prototyping (6+ month timeframe)
  • Identify broad sets of vulnerabilities that might be mitigated by process isolation (high level threat model, here: Security/ProcessIsolation/ThreatModel
  • Identify several potential architectures. A few that come to mind, there will be more:
    • Isolate entire Firefox process into low rights mode (sensitive I/O virtualized or brokered). Protects system from browser vulns but does not improve stability or inter-domain security.
    • Isolate Firefox into multiple processes (process per tab or process per top-level). Provides system protection, and stability benefits, but minimal inter-domain protections.
    • Isolate Firefox into separate process per domain. The most complex model, but provides system protection, stability, and inter-domain compartmentalization.
  • Determine which sets of vulnerabilities could be addressed by different architectures
  • Outline any operating system limitations and feasibility of each potential architecture on major OSes
  • Pick a (straw man) architecture
  • Develop a detailed threat model to understand how threats will be mitigated and where we might run into implementation problems for the given architecture
  • Figure out how to address any design or implementation issues discovered
  • Iterative the above 3 steps as necessary
  • Implementation roadmap
    • Identify components affected and respective developers
    • Figure out milestones and beta requirements
    • Budget and schedule for external security review