Closed Bug 772403 Opened 12 years ago Closed 11 years ago

Security Review work related to Multi-process support for B2G

Categories

(mozilla.org :: Security Assurance, task, P2)

Product:
mozilla.org
Component:
Security Assurance
Platform:
x86
macOS
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pauljt, Assigned: pauljt)

References

(
URL
)

Details

A security review of the multi-process features of B2G.

Related bugs:
Bug 714861
Component: Security Assurance → Security Assurance: Review Request
QA Contact: security-assurance
Assignee: nobody → ptheriault
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 4 (P2) - Mozilla Initiative

Operational: 0 - N/A
User: 5 - Blocker
Privacy: 4 - Critical
Engineering: 3 - Major
Reputational: 3 - Major

Priority Score: 60
Severity: normal → blocker
Priority: -- → P2
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][Score:60:Medium]
This is really a tracking bug for review work related to multiprocess. Adding blockers to this, which contain the review actions related to multi-process.

Some high level notes:

Feature:
Basically <frame> s can be loaded Out Of Process (OOP) in B2G, which results in a forked B2G (gecko) process running with reduced rights. Currently only the System App can create these frames by setting the  remote attribute to be true.  (i.e. other apps setting remote='true' has no effect). 

Threats Brainstorming
---------
* Too many processes created and phone gets DoS. 
 ** Only the system app can set remote=true
* Bypass child process initialization 
* Leaked file descriptors can be used to access resources as parent process (note: made a spearate "quick" review: https://bugzilla.mozilla.org/show_bug.cgi?id=753107
* Special child process types have full privileges and can be used to compromise the system (such as the camera)
* Some APIs require the child to have more than IPDL resources access (webgl, camera library, ...). Those could be abused by the child process
* eventually this ability will be tied to a permissions (open-remote-window) but this hasnt landed yet (819882)
* child process is compomised and send spurious messages to the parent - (see bug 777602)
Depends on: 753107, fuzzing-msgmgr, 746280, 777602
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][Score:60:Medium]
Component: Security Assurance: Review Request → Security Assurance
Summary: [Security Review] Multi-process support for B2G → Security Review work related to Multi-process support for B2G
This work has been superseded by the sandboxing project.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
No longer depends on: 746280
You need to log in before you can comment on or make changes to this bug.