If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Verify Shumway's outermost sandbox

RESOLVED INCOMPLETE

Status

Firefox Graveyard
Shumway
RESOLVED INCOMPLETE
3 years ago
2 years ago

People

(Reporter: till, Assigned: yury)

Tracking

Dependency tree / graph

Details

(Reporter)

Description

3 years ago
This is the most important sandbox by far, as it prevents content from doing things that normal web content can't do in an uncontrolled manner. It's defined in the ShumwayCom.jsm module[1]. It passes in capabilities via an object with functions exported using exportFunction.

Bobby, you probably need additional information before you can start reviewing this, so we should schedule a meeting to go over the architecture.

[1] https://github.com/mozilla/shumway/blob/master/extension/firefox/chrome/ShumwayCom.jsm
Flags: needinfo?(bobbyholley)
Blocks: 1037568
Assignee: nobody → ydelendik
I had a video call with mbx and yury today about this. I gave some feedback, and they're going to take a look at things and get back to me.
Flags: needinfo?(bobbyholley)
(Assignee)

Updated

3 years ago
See Also: → bug 1141375
(Assignee)

Comment 2

3 years ago
https://github.com/mozilla/shumway/wiki/Outer-Sandbox-Security
(Reporter)

Comment 3

3 years ago
The feedback mentioned in comment 1 has been addressed. Additionally, Yury wrote extensive documentation about our sandboxing, linked to in comment 2.

Bobby, do you think this is in a reviewable state now? We could come down to MV next week (or you up to SF) to kick things off, if that works for you.
Assignee: ydelendik → nobody
Flags: needinfo?(bobbyholley)
My biggest concern in comment 1 was the whole "running SWFs from different domains in the same compartment". Has that been addressed in a substantive way?

Per email, I'll be in SF on Wednesday, so we can meet then.
(Reporter)

Comment 5

3 years ago
(In reply to Bobby Holley (:bholley) from comment #4)
> My biggest concern in comment 1 was the whole "running SWFs from different
> domains in the same compartment". Has that been addressed in a substantive
> way?

We're currently working on a huge project to support SecurityDomains. In theory, that is what's needed to support running multiple SWFs in the same compartment in a safe manner. In practice, we'll very likely not be able to get this to a state where we have sufficient confidence in it being correct before 1.0.

Our plan for dealing with this is to largely punt on it. We think we can get away with that by exploiting two simplifying assumptions:

1. Banner ads very rarely load child SWFs from other domains. If they do, in all cases we could find they loaded them from domains that had crossdomain.xml files allowing the initial SWF to load arbitrary data from that domain. That means that they could've just loaded the SWF as bytes and executed it in their own domain, obviating the need for SecurityDomain. There's a difference in privileges there: the child SWF wouldn't be running in the security context of its original domain if it were loaded as bytes and then evaluated in another domain, so it couldn't load data from its original domain without a crossdomain.xml. That is ok, because we have already established that we do have such a crossdomain.xml file.

2. 1) above protects the loaded SWF from being accessed from the loading one in an insecure manner. That leaves the other direction. In pretty much all real-world cases, the protections gained through SecurityDomain are immediately given up on by using System.Security.allowDomain('*'). When we load a SWF from another domain, we check if the loading SWF has called System.Security.allowDomain('*'). If not, we reject the load, so the loading SWF cannot be compromised because of bugs in our SecurityDomain implementation.

Note that these two mitigations only work because of specific characteristics of banner ads. If and when we start targeting other content, we'll probably have to lose them. For now, this should cover the security concerns in a manner that doesn't break the content we care about, though.
We discussed this all in person on Wednesday.
Flags: needinfo?(bobbyholley)
(Assignee)

Updated

3 years ago
Depends on: 1150771
(Assignee)

Updated

3 years ago
See Also: → bug 1154731
Assignee: nobody → ydelendik
(Assignee)

Updated

3 years ago
Depends on: 1160230
Blocks: 1037580
(Reporter)

Comment 7

2 years ago
Bugs that block m3 don't need to also block m4.
No longer blocks: 1037580
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.