Necko: Sandboxing TCP/UDP socket in a separate process

From MozillaWiki

Revision as of 09:46, 16 November 2017 by Schien (talk | contribs) (add TODOs section)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Objectives

Move all the network and socket operations to an isolated process.

Goals

For security
- Sandboxing network access into a separate process, preventing chrome process from opening socket
- Preventing protocol security hole to be used to control the entire browser
For stability
- Allow recovering network layer without rebooting firefox, if crash/assertion is detected in the socket process
For performance
- No major regression found for start-up performance and network throughput

Requirements

HTTP Channel

FTP Channel

TCP Socket

UDP Socket

DNS

Cache

Proxy

WebSocket

WebRTC

NSS

PKI/PKIX

Sandboxing

Chrome process is still the only secure zone. Every IPC interface received at Chrome process should be audited
IPC to content process or socket process should at least do sanity check in the receiver side
Better not providing interface to create arbitrary TCP/UDP connection

Design

Architecture

IPDL

Start-up Procedure

Create HTTP Channel

Create WebRTC Channel

Update Preference

Override Certificate

NTLM

TODOs

hook ProcessHangMonitor
hook CrashReporter
hook MemoryPresure
hook MemoryReporter
ensure Telemetry works
ensure MOZ_LOG works
remove XPCOM and support only C++ implementation

Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/index.php?title=Necko:_Sandboxing_TCP/UDP_socket_in_a_separate_process&oldid=1184294"