Necko: Sandboxing TCP/UDP socket in a separate process
Jump to navigation
Jump to search
Objectives
Move all the network and socket operations to an isolated process.
Goals
- For security
- Sandboxing network access into a separate process, preventing chrome process from opening socket
- Preventing protocol security hole to be used to control the entire browser
- For stability
- Allow recovering network layer without rebooting firefox, if crash/assertion is detected in the socket process
- For performance
- No major regression found for start-up performance and network throughput
Requirements
HTTP Channel
FTP Channel
TCP Socket
UDP Socket
DNS
Cache
Proxy
WebSocket
WebRTC
NSS
PKI/PKIX
Sandboxing
- Chrome process is still the only secure zone. Every IPC interface received at Chrome process should be audited
- IPC to content process or socket process should at least do sanity check in the receiver side
- Better not providing interface to create arbitrary TCP/UDP connection
Design
Architecture
IPDL
Start-up Procedure
Create HTTP Channel
Create WebRTC Channel
Update Preference
Override Certificate
NTLM
TODOs
- hook ProcessHangMonitor
- hook CrashReporter
- hook MemoryPresure
- hook MemoryReporter
- ensure Telemetry works
- ensure MOZ_LOG works
- remove XPCOM and support only C++ implementation