User:Mwobensmith/FP sandbox
From MozillaWiki
Phone conversation with Jeromie Clark, QA Manager, Adobe Flash Player
8/15/13
Flash Player sandbox:
- Was implemented around 2 years ago in FP 11.3
- Win Vista and higher only
- Was required as they needed to get off the "0day train"
- Had already learned from the Acrobat sandbox
Some details:
- Low-integrity process by default, must communicate with medium-integrity broker in order to access most things
- The OS also provides additional protection by limiting access to resources that belong to the user via Security Identifiers (SIDs)
- More: blog post
Problems they faced:
- Compatibility with browser NPAPI, which was not built with this purpose in mind
- IPC connections to browser can get mangled; sometimes arriving in wrong order
- Caused many unreproducible crashes in the wild that were never able to be found in extensive testing
- Initially unstable, but after 2 years, have returned to pre-sandbox stability
- Broke other pieces of software that hosted FP, as they relied on the FP calling into them under conditions that FP itself had changed
- Ran into unexpected issues with personal firewall systems like Komodo and Zone Alarm, which (apparently) intercede between the FP and the browser itself
- Chrome and the Pepper API - not willing to help FP with its needs in this department
Positives:
- Have effectively killed large classes of attacks (in above configs only)
- Mozilla was a big help to them, as the only browser vendor that provided helpful crash stacks from the wild
Negatives:
- Lots of unreproducible bugs. They don't even investigate many of these, anymore. Because of above-mentioned NPAPI sync issues, race conditions will create crashes that weren't caught in thousands of iterations of tests in-house.
- Unrelated, but downstaffing/brain drain of eng means that no one who worked on sandbox is left at the company.
Overall:
- Positive outcome, with a high cost
- "Sandbox is not a panacea" - they have other new features (such as JIT constant blinding) that help a lot
- Note: Mac OS X "Mavericks" will have plugin sandboxing of some sort
Testing strategy:
- TBD, but if/when we get to this point, we'll need to have a list of things that will be brokered from web content (printer, file system, clipboard, camera, etc.) and test heavily around those areas.
- Just a big, wide surface - as long and broad as possible to catch regressions and fix them