1562797 - (Wasm-sandboxing) [meta] Use WASM sandboxed libraries in Firefox to reduce attack surface

Status: ASSIGNED

(Core :: Graphics: ImageLib, task)

Description

[Shravan Narayan]

This tracks the progress of the project "Toolkit for sandboxing third-parties libraries in Firefox" described here

https://wiki.mozilla.org/Community:SummerOfCode19

This is a part of the Google Summer of Code program. Reproducing the description below.

Firefox supports a long tail of infrequently used image and audio formats to support the occasional website that uses them. Each such format requires the Firefox decoder to use a new open source library for parsing and decoding. This, unfortunately, increases the attack surface of Firefox and as we saw in Pwn2Own 2018, Firefox was successfully exploited via a bugs in such libraries (libogg in this case).

This project proposes to sandbox third-party libraries in Firefox by building a new software-fault isolation toolkit. Our tookit will build on the WebAssembly compiler to isolate libraries in Firefox. But, as part of this toolkit we will also develop and apply a library for safely interfacing with sandboxed libraries (and sanitizing data coming from them). with this toolkit we can ensure that any vulnerability in third-party libraries (e.g., libogg or libpng) cannot be used to be used to compromise Firefox.

Comment 1

[Lars T Hansen [:lth]]

There appears to be a large number of new, open bugs for this project that do not block this metabug. Please fix this. Please also set bug type and priority for all those new bugs so that I don't have to; Enhancement and P3 will usually be appropriate. Thanks.

Comment 2

[Shravan Narayan]

(In reply to Lars T Hansen [:lth] from comment #1)

There appears to be a large number of new, open bugs for this project that do not block this metabug. Please fix this. Please also set bug type and priority for all those new bugs so that I don't have to; Enhancement and P3 will usually be appropriate. Thanks.

Not sure I fully follow the request about blocking - All tasks/bugs block sub-bugs which block the meta-bug. Could you please clarify?
Bugs have been set to P3. Relevant bugs have now been tagged as enhancements.

Comment 3

[Lars T Hansen [:lth]]

I guess a bug tree is fine in general, as we have no unambiguous culture for bugs additionally blocking the ultimate bug for the feature, sorry for coming on so strong. Thanks for fixing the priorities & bug types.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee is inactive on Bugzilla, so the assignee is being reset.

Comment 5

[Marco Castelluccio [:marco]]

Sorry, there was a problem with the detection of inactive users. I'm reverting the change.