New sandboxing approach in web browser increases security

A powerful new approach to securing web browsers, using a tool called WebAssembly, is getting its first real-world application in the Firefox browser. Developed by a team of researchers from The University of Texas at Austin, the University of California San Diego, Stanford University and Mozilla, the approach shifts some of the browser code into “secure sandboxes” that prevent malicious code from taking over the user’s computer.

The new approach is now part of a test release of the Firefox browser for the Linux operating system and could be available on Windows and MacOS platforms within a few months.

Web browsers use libraries of code to do common activities — such as rendering media files including photos, videos and audio — but these libraries often have unreported bugs that can be exploited by hackers to take control of a computer.

“Modern browsers are the nightmare scenario for security,” said Hovav Shacham, professor of computer science at UT Austin and co-author of a related paper accepted for presentation at a computer security conference to be held this August. “They have every feature imaginable. The more features you have, the more bugs there are. And the more bugs there are, the more chances an attacker has to compromise people’s devices. Attackers love attacking browsers, and they really understand how to do it.”

To prevent hackers from exploiting these vulnerabilities, the researchers are adapting WebAssembly, a security mechanism originally designed to speed up web applications that run within a browser while keeping those applications within “secure sandboxes” that prevent malicious code from taking over the user’s computer. Applications that take advantage of WebAssembly include games and apps that perform music streaming, video editing, encryption and image recognition. In the researchers’ new approach, some of the browser’s own internal components — those responsible for the decoding of media files — would be shifted into WebAssembly sandboxes.

The researchers’ approach, called the RLBox framework, is described in a paper (“Retrofitting Fine Grain Isolation in the Firefox Renderer”) that will be presented at the USENIX Security Symposium in August. The papers’ first author is UC San Diego Computer Science and Engineering Department graduate student Shravan Narayan, and the lead author is UC San Diego assistant professor Deian Stefan.

The new approach will initially be applied to a test version of Firefox for the Linux operating system and will secure just one rendering library used for certain fonts. Assuming the initial tests go well, the team expects the approach will be gradually expanded to include stable, full release versions of the browser on all major operating systems. They also anticipate future expansion will include other components involved in rendering media files.

“If the initial tests go well, then Firefox could apply this to all the image, video and audio formats that the browser supports,” Shacham said. “The hope is that at some point, bugs in all of those libraries become useless for hacking Firefox. And if that happens, then user security would be greatly improved.”

Over time, as more parts of the browser get these improvements and are incorporated into versions on more operating systems, it could improve security for millions of users worldwide. There are roughly 250 million monthly active users of the Firefox browser on desktop computers.

“Defects happen,” said Eric Rescorla, Firefox CTO at Mozilla. “To keep our users secure on the internet, we need to ensure that a single programming error cannot easily compromise the browser. To date the industry’s approach to this problem has been very coarse-grained, which limits its effectiveness. We’re very excited to bring the new level of isolation provided by RLBox to our users.”

###

Other co-authors on the papers are UC San Diego graduate student Craig Disselkoen; Mozilla engineers Nathan Froyd and Eric Rahm; Stanford research associate Tal Garfinkel; and UC San Diego Computer Science and Engineering Department professor Sorin Lerner.

Read more about this project from Mozilla’s Hacks Blog.