-
Retrofitting Fine Grain Isolation in the Firefox Renderer (Extended Version)
Authors:
Shravan Narayan,
Craig Disselkoen,
Tal Garfinkel,
Nathan Froyd,
Eric Rahm,
Sorin Lerner,
Hovav Shacham,
Deian Stefan
Abstract:
Firefox and other major browsers rely on dozens of third-party libraries to render audio, video, images, and other content. These libraries are a frequent source of vulnerabilities. To mitigate this threat, we are migrating Firefox to an architecture that isolates these libraries in lightweight sandboxes, dramatically reducing the impact of a compromise.
Retrofitting isolation can be labor-inten…
▽ More
Firefox and other major browsers rely on dozens of third-party libraries to render audio, video, images, and other content. These libraries are a frequent source of vulnerabilities. To mitigate this threat, we are migrating Firefox to an architecture that isolates these libraries in lightweight sandboxes, dramatically reducing the impact of a compromise.
Retrofitting isolation can be labor-intensive, very prone to security bugs, and requires critical attention to performance. To help, we developed RLBox, a framework that minimizes the burden of converting Firefox to securely and efficiently use untrusted code. To enable this, RLBox employs static information flow enforcement, and lightweight dynamic checks, expressed directly in the C++ type system.
RLBox supports efficient sandboxing through either software-based-fault isolation or multi-core process isolation. Performance overheads are modest and transient, and have only minor impact on page latency. We demonstrate this by sandboxing performance-sensitive image decoding libraries ( libjpeg and libpng ), video decoding libraries ( libtheora and libvpx ), the libvorbis audio decoding library, and the zlib decompression library.
RLBox, using a WebAssembly sandbox, has been integrated into production Firefox to sandbox the libGraphite font shaping library.
△ Less
Submitted 9 March, 2020; v1 submitted 1 March, 2020;
originally announced March 2020.
-
Engineering Record And Replay For Deployability: Extended Technical Report
Authors:
Robert O'Callahan,
Chris Jones,
Nathan Froyd,
Kyle Huey,
Albert Noll,
Nimrod Partush
Abstract:
The ability to record and replay program executions with low overhead enables many applications, such as reverse-execution debugging, debugging of hard-to-reproduce test failures, and "black box" forensic analysis of failures in deployed systems. Existing record-and-replay approaches limit deployability by recording an entire virtual machine (heavyweight), modifying the OS kernel (adding deploymen…
▽ More
The ability to record and replay program executions with low overhead enables many applications, such as reverse-execution debugging, debugging of hard-to-reproduce test failures, and "black box" forensic analysis of failures in deployed systems. Existing record-and-replay approaches limit deployability by recording an entire virtual machine (heavyweight), modifying the OS kernel (adding deployment and maintenance costs), requiring pervasive code instrumentation (imposing significant performance and complexity overhead), or modifying compilers and runtime systems (limiting generality). We investigated whether it is possible to build a practical record-and-replay system avoiding all these issues. The answer turns out to be yes - if the CPU and operating system meet certain non-obvious constraints. Fortunately modern Intel CPUs, Linux kernels and user-space frameworks do meet these constraints, although this has only become true recently. With some novel optimizations, our system 'rr' records and replays real-world low-parallelism workloads with low overhead, with an entirely user-space implementation, using stock hardware, compilers, runtimes and operating systems. "rr" forms the basis of an open-source reverse-execution debugger seeing significant use in practice. We present the design and implementation of 'rr', describe its performance on a variety of workloads, and identify constraints on hardware and operating system design required to support our approach.
△ Less
Submitted 16 May, 2017;
originally announced May 2017.
-
Lightweight User-Space Record And Replay
Authors:
Robert O'Callahan,
Chris Jones,
Nathan Froyd,
Kyle Huey,
Albert Noll,
Nimrod Partush
Abstract:
The ability to record and replay program executions with low overhead enables many applications, such as reverse-execution debugging, debugging of hard-to-reproduce test failures, and "black box" forensic analysis of failures in deployed systems. Existing record-and-replay approaches rely on recording an entire virtual machine (which is heavyweight), modifying the OS kernel (which adds deployment…
▽ More
The ability to record and replay program executions with low overhead enables many applications, such as reverse-execution debugging, debugging of hard-to-reproduce test failures, and "black box" forensic analysis of failures in deployed systems. Existing record-and-replay approaches rely on recording an entire virtual machine (which is heavyweight), modifying the OS kernel (which adds deployment and maintenance costs), or pervasive code instrumentation (which imposes significant performance and complexity overhead). We investigated whether it is possible to build a practical record-and-replay system avoiding all these issues. The answer turns out to be yes --- if the CPU and operating system meet certain non-obvious constraints. Fortunately modern Intel CPUs, Linux kernels and user-space frameworks meet these constraints, although this has only become true recently. With some novel optimizations, our system RR records and replays real-world workloads with low overhead with an entirely user-space implementation running on stock hardware and operating systems. RR forms the basis of an open-source reverse-execution debugger seeing significant use in practice. We present the design and implementation of RR, describe its performance on a variety of workloads, and identify constraints on hardware and operating system design required to support our approach.
△ Less
Submitted 7 October, 2016;
originally announced October 2016.
