Open
Bug 930199
Opened 12 years ago
Updated 3 years ago
Disable ctypes in child processes
Categories
(Core :: js-ctypes, enhancement)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| e10s | later | --- |
People
(Reporter: evilpies, Unassigned)
References
(Blocks 1 open bug)
Details
After the whole TOR debacle, we should maybe consider disabling ctypes in child processes and thus avoid any dependencies on it. It makes it very easy to do stuff if you have already exploited the browser. I am aware that this is somewhere in the corner of security by obscurity.
|
||
Comment 1•12 years ago
|
||
Given that child processes are going to be sandboxed anyway, this sounds clearly like a good idea.
|
||
Comment 2•12 years ago
|
||
Is ctypes the only thing we'd want to disable?
|
|
||
Comment 3•12 years ago
|
||
Probably not, but it's easy and a good start.
|
|
||
Comment 4•12 years ago
|
||
For that matter does anyone know what the NSA was (allegedly) using ctypes for?
Does it strike anyone else as a little odd to use js-ctypes in an exploit? Doesn't using it imply that you've already got chrome privileges? I think it was probably as simple as "great, we have chrome privileges, now all we have to do is figure out how to call system()" followed by googling for "libc firefox" or whatever other combination of keywords leads to js-ctypes.
In other words, total lack of experience with Gecko. Removing js-ctypes, by itself, would not protect against this kind of adversary.
Convince me this is a real security measure.
|
||
Comment 5•12 years ago
|
||
I agree with Jason. I don't see the difference between using js-ctypes and using off-the-shelf shellcode. But maybe there's something I'm missing.
|
||
Comment 6•12 years ago
|
||
We also use js-ctypes for real things nowadays, like OS.File.
|
|
||
Comment 7•12 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #5)
> I agree with Jason. I don't see the difference between using js-ctypes and
> using off-the-shelf shellcode. But maybe there's something I'm missing.
Or is the issue that the exploit got them chrome script access, rather than arbitrary machine code execution? In that case, they might have to do a tiny amount more research (as Jason suggests), but it's still just an issue of using Components or importing the right JSM to munge the system in the way they want.
|
Reporter | |
Comment 8•12 years ago
|
||
Ctypes also makes it easy to write code that will probably break with Sanboxing. (e.g. file operations) I think we should trying disabling it, while it's still easy.
|
||
Comment 9•11 years ago
|
||
Mass tracking-e10s flag change. Filter bugmail on "2be0fcce-e36a-4e2c-aa80-0e3d33eb5406".
tracking-e10s:
--- → +
|
||
Updated•11 years ago
|
|
||
Updated•3 years ago
|
Type: defect → enhancement
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•