Mozilla is launching Firefox 95 with a new sandbox technology called RLBox that prevents untrusted code and other security vulnerabilities from causing “accidental flaws and supply chain attacks.”
dubbing”RLBox“Improved protection mechanisms implemented in collaboration with researchers at the University of California, San Diego and the University of Texas are audio, video, fonts, images, and other content.
To that end, Mozilla has built a “fine-grained sandbox” into five modules. graphite Font rendering engine, Hanspel Spell checker, Ogg Multimedia container format, Expatriate XML parser, and Woff2 Web font compression format.
The framework is WebAssemblyIs an open standard that defines a portable binary code format for executable programs that can be run in modern web browsers, isolating potentially dangerous code. prototype That version shipped to Mac and Linux users in February 2020.
All major browsers are designed to run web content in their own sandbox environment as a means of preventing malicious sites from exploiting browser vulnerabilities to compromise the underlying operating system. increase. Firefox is also implemented Site separationIt loads each website individually in its own process, thus blocking any code hosted on the malicious website from accessing sensitive information stored on other sites.
According to Mozilla, the problem with these approaches is that the attack works and is implemented by joining two or more flaws aimed at breaking sandboxed processes, including suspicious sites, and breaking quarantine barriers. It is to effectively undermine the security measures that have been taken.
“Separation mods are labor-intensive, highly prone to security bugs, and require close performance attention,” the researchers said. paper It formed the basis of function. RLBox “minimizes the burden of converting Firefox to use untrusted code safely and efficiently.”
RLBox enhances browser security by sandboxing third-party C / C ++ language libraries that are vulnerable to attacks from interference with other browser processes and limit potential damage. The purpose is that. In other words, the goal is to separate the library into a lightweight sandbox so that threat attackers can’t exploit the vulnerabilities in these subcomponents to affect other parts of the browser.
“Rather than putting the code together in a separate process, we compile it into WebAssembly instead, and then compile that WebAssembly into native code,” said Bobby Holley, Mozilla’s principal engineer. Said.. “Transformation imposes two important restrictions on the target code: you cannot jump to unexpected parts of the rest of the program, or you cannot access memory outside the specified area. [these libraries] Firefox should not be a threat. “
Mozilla says Graphite, Hunspell, and Ogg’s cross-platform sandboxes are shipping to desktop and mobile versions of browsers in Firefox 95, while Expat and Woff 2 will get support for Firefox 96 features. I did.
The latest Firefox 95 includes an RLBox sandbox to protect your browser from malicious code.
https://thehackernews.com/2021/12/latest-firefox-95-includes-rlbox.html The latest Firefox 95 includes an RLBox sandbox to protect your browser from malicious code.