Researchers from Stanford University, the University of California at San Diego and the University of Texas at Austin tools , which can be used as an additional isolation layer to block vulnerabilities in function libraries. RLBox is aimed at solving the security problem of untrusted third-party libraries that are not under the control of developers, but whose vulnerabilities can compromise the main project.
Mozilla Company use RLBox in Linux builds of Firefox 74 and macOS builds of Firefox 75 to isolate library execution , responsible for rendering fonts. However, RLBox is not specific to Firefox and can be used to isolate any libraries in arbitrary projects. RLBox under MIT license. RLBox currently supports Linux and macOS platforms, with Windows support expected later.
RLBox's work comes down to compiling the C/C++ code of an isolated library into low-level intermediate WebAssembly code, which is then designed as a WebAssembly module, the permissions of which are set in relation only to this module (for example, a library for processing strings will not be able to open a network socket or file) . Converting C/C++ code to WebAssembly is done using .
For direct execution, the WebAssembly module is compiled into machine code using a compiler and runs in a separate "nanoprocess" isolated from the rest of the application's memory. The Lucet compiler is based on the same code as the JIT engine , used in Firefox to execute WebAssembly.
The assembled module operates in a separate memory area and does not have access to the rest of the address space. If a vulnerability in the library is exploited, the attacker will be limited and will not be able to access memory areas of the main process or transfer control outside the isolated environment.
High-level information is provided for developers , which allows you to call library functions in isolation mode. WebAssembly handlers require almost no additional resources and interaction with them is not much slower than calling ordinary functions (the library functions are executed in the form of native code, and overhead costs arise only when copying and checking data during interaction with the isolated environment). Isolated library functions cannot be called directly and must be accessed using
layer invoke_sandbox_function().
In turn, if it is necessary to call external functions from the library, these functions must be explicitly defined using the register_callback method (by default, RLBox provides access to functions ). To ensure memory safety, code execution isolation is not enough and requires also checking the returned data streams.
Values ββgenerated in an isolated environment are marked as untrustworthy and limited using and for βcleaningβ they require and copying to application memory.
Without cleanup, attempting to use tainted data in a context that requires regular data (and vice versa) results in errors being generated at compile time. Small function arguments, return values, and structures are passed through copying between process memory and sandbox memory. For large data sets, memory is allocated in an isolated environment and a direct sandbox-reference pointer is returned to the main process.
Source: opennet.ru