Don't Get Owned by Your Dependencies: How Firefox Uses In-process Sandboxing To Protect Itself From Exploitable Libraries (And You Can Too!)

Presented at Black Hat USA 2022, Aug. 11, 2022, 2:30 p.m. (30 minutes)

Memory safety vulnerabilities in third party C libraries are a major source of zero-day attacks in today's applications. Several years ago, our team began exploring a new approach to mitigating these attacks in Firefox, which relies on third party libraries for everything from media rendering to spell checking.

To accomplish this, we began migrating Firefox to an architecture where third party C libraries are run in lightweight in-memory sandboxes (based on WebAssembly). Firefox has been shipping with this new architecture since 2020.

We will explore a variety of hard questions we encountered when bringing this approach to Firefox: How do we ensure sandboxing is efficient enough that we don't have to significantly change or re-architect existing code? How can we retrofit sandboxing without changing libraries? How do we ensure that our application (Firefox), which was written to trust libraries, cannot be exploited when a malicious (but sandboxed) library attacks.

We will talk about a new language level framework (RLBox) we developed to meet these challenges. RLBox exploits the language level type system to (1) track inputs from untrusted libraries to ensure they are properly sanitized before use, (2) automatically reconciles ABI differences between WebAssembly and application code (3) automate and assist with the process of migrating existing code to use untrusted libraries.

We will share some examples of our own experience applying RLBox in Firefox, and briefly explore the performance impact of sandboxing. RLBox and its related tools are fully open source and available to participants. We will explore how participants can apply our tools to their own projects.

Presenters:

• Deian Stefan - Professor, UC San Diego
  Deian Stefan is a Professor at UC San Diego.
• Tal Garfinkel - Research Scientist, UC San Diego
  Tal Garfinkel is a research scientist at UC San Diego. He is the author of 29 academic publications and eleven patents. His work has received the distinguished paper and best paper awards at the Usenix Security Symposium, and best paper award at Usenix Annual Technical Conference. Garfinkel's work has been foundational to trusted computing (Terra), software defined networking (SANE), and introduced the technique of virtual machine introspection (VMI). In 2019, his paper on VMI received the NDSS "test of time" award, for "[opening] the floodgates on a tremendous amount of research and derivative tools" The paper is the most highly cited NDSS paper between 1995 and 2009. Garfinkel was the co-founder and program co-chair of the Usenix Workshop on Offensive Technology (WOOT). He has also been a lecturer and invited speaker in both academic and industry forums.
• Shravan Narayan - PhD Student, UC San Diego
  Shravan Narayan is in the final year as a PhD student at the University of California, San Diego in the Computer Science and Engineering Department. Shravan works in the Computer Security and Programming Languages Groups advised by Prof. Deian Stefan. Shravan’s primary research interests are in approaches to maintain security while writing large applications such as the use of sandboxing/fault isolation, memory safety enforcement techniques and verified programming.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#dont-get-owned-by-your-dependencies-how-firefox-uses-in-process-sandboxing-to-protect-itself-from-exploitable-libraries-and-you-can-too-27293

Similar Presentations:

• Black Hat USA 2014 / Epidemiology of Software Vulnerabilities: A Study of Attack Surface Spread
• Black Hat USA 2020 Virtual / The Devil's in the Dependency: Data-Driven Software Composition Analysis
• DEF CON 17 (2009) / Abusing Firefox Addons