Open Bug 1562797 (Use-WASM-sandboxed) Opened 1 year ago Updated 3 months ago

[meta] Use WASM sandboxed libraries in Firefox to reduce attack surface

Categories

(Core :: ImageLib, task)

task
Not set
normal

Tracking

()

ASSIGNED

People

(Reporter: shravanrn, Assigned: shravanrn)

References

(Depends on 3 open bugs, Blocks 1 open bug, )

Details

(Keywords: meta)

This tracks the progress of the project "Toolkit for sandboxing third-parties libraries in Firefox" described here

https://wiki.mozilla.org/Community:SummerOfCode19

This is a part of the Google Summer of Code program. Reproducing the description below.

Firefox supports a long tail of infrequently used image and audio formats to support the occasional website that uses them. Each such format requires the Firefox decoder to use a new open source library for parsing and decoding. This, unfortunately, increases the attack surface of Firefox and as we saw in Pwn2Own 2018, Firefox was successfully exploited via a bugs in such libraries (libogg in this case).

This project proposes to sandbox third-party libraries in Firefox by building a new software-fault isolation toolkit. Our tookit will build on the WebAssembly compiler to isolate libraries in Firefox. But, as part of this toolkit we will also develop and apply a library for safely interfacing with sandboxed libraries (and sanitizing data coming from them). with this toolkit we can ensure that any vulnerability in third-party libraries (e.g., libogg or libpng) cannot be used to be used to compromise Firefox.

Mentor: shravanrn
Assignee: nobody → shravanrn
Mentor: shravanrn
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Component: General → ImageLib
Product: Firefox → Core
Depends on: cxx17
Depends on: 1566220
Depends on: 1566226
Depends on: 1566233
Depends on: 1566235
Depends on: 1566236
Depends on: 1566238
Depends on: 1566244
Depends on: 1566245
Depends on: 1566247
Depends on: 1566248
No longer depends on: 1566244
No longer depends on: 1566248
No longer depends on: 1566245
No longer depends on: 1566247

There appears to be a large number of new, open bugs for this project that do not block this metabug. Please fix this. Please also set bug type and priority for all those new bugs so that I don't have to; Enhancement and P3 will usually be appropriate. Thanks.

Flags: needinfo?(shravanrn)

(In reply to Lars T Hansen [:lth] from comment #1)

There appears to be a large number of new, open bugs for this project that do not block this metabug. Please fix this. Please also set bug type and priority for all those new bugs so that I don't have to; Enhancement and P3 will usually be appropriate. Thanks.

Not sure I fully follow the request about blocking - All tasks/bugs block sub-bugs which block the meta-bug. Could you please clarify?
Bugs have been set to P3. Relevant bugs have now been tagged as enhancements.

Flags: needinfo?(shravanrn)

I guess a bug tree is fine in general, as we have no unambiguous culture for bugs additionally blocking the ultimate bug for the feature, sorry for coming on so strong. Thanks for fixing the priorities & bug types.

Depends on: 1572616
Depends on: 1584370
Depends on: 1601407
Alias: Use-WASM-sandboxed
Keywords: meta
Summary: Use WASM sandboxed libraries in Firefox to reduce attack surface → [meta] Use WASM sandboxed libraries in Firefox to reduce attack surface
Depends on: 1605190
Depends on: 1653659
You need to log in before you can comment on or make changes to this bug.