Don't Get Owned by Your Dependencies: How Firefox Uses In-process Sandboxing To Protect Itself From Exploitable Libraries (And You Can Too!)

RLBox is a framework for in-process sandboxing that simplifies the adoption of in-process sandboxing into applications, providing fast sandboxing and low engineering effort.

• RLBox uses types to hide low-level details and track untrusted data and control flow
• RLBox is a production-ready tool that automates API calls, data marshalling, and required bounds checks
• RLBox simplifies the adoption of in-process sandboxing into applications
• RLBox is being used by Firefox and is covered under their bug bounty program

The speaker explains that RLBox is a framework for in-process sandboxing that simplifies the adoption of in-process sandboxing into applications. RLBox uses types to hide low-level details and track untrusted data and control flow. It automates API calls, data marshalling, and required bounds checks, making it a production-ready tool that simplifies the adoption of in-process sandboxing into applications. RLBox is being used by Firefox and is covered under their bug bounty program.

Memory safety vulnerabilities in third party C libraries are a major source of zero-day attacks in today's applications. Several years ago, our team began exploring a new approach to mitigating these attacks in Firefox, which relies on third party libraries for everything from media rendering to spell checking.To accomplish this, we began migrating Firefox to an architecture where third party C libraries are run in lightweight in-memory sandboxes (based on WebAssembly). Firefox has been shipping with this new architecture since 2020.We will explore a variety of hard questions we encountered when bringing this approach to Firefox: How do we ensure sandboxing is efficient enough that we don't have to significantly change or re-architect existing code? How can we retrofit sandboxing without changing libraries? How do we ensure that our application (Firefox), which was written to trust libraries, cannot be exploited when a malicious (but sandboxed) library attacks. We will talk about a new language level framework (RLBox) we developed to meet these challenges. RLBox exploits the language level type system to (1) track inputs from untrusted libraries to ensure they are properly sanitized before use, (2) automatically reconciles ABI differences between WebAssembly and application code (3) automate and assist with the process of migrating existing code to use untrusted libraries. We will share some examples of our own experience applying RLBox in Firefox, and briefly explore the performance impact of sandboxing. RLBox and its related tools are fully open source and available to participants. We will explore how participants can apply our tools to their own projects.