Written by
Liam Tung, Contributor
Liam Tung
Contributor
Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney’s Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia.
Full Bio
on December 7, 2021
| Topic: Enterprise Software
Cybercrime college: Dark web courses teach wannabe hackers how to build botnets
Watch Now
Mozilla has released Firefox 95 and shipped it with its new security sandboxing technology called RLBox for Firefox on Windows, Linux and macOS.
The sandboxing technology was co-developed by researchers at Mozilla, the University of California, San Diego, the University of Texas, Austin, and Stanford University.
Mozilla released a preview of its for Firefox on Linux and macOS last December and has now extended it to Firefox for Windows, iOS and Android, according to Mozilla.
SEE: A winning strategy for cybersecurity (ZDNet special report)
RLBox works by separating third-party libraries from an app’s native code. The first modules it isolates are Graphite, Hunspell, Ogg, Expat and Woff2, with RLBox protecting Firefox against attacks on vulnerabilities in these libraries.
“Going forward, we can treat these modules as untrusted code, and – assuming we did it right – even a zero-day vulnerability in any of them should pose no threat to Firefox,” Mozilla announced in a blogpost.
One aspect of browser security Mozilla wanted to address with RLBox was that Firefox is written with millions of lines of C and C++ code, which are prone to memory-related security flaws. While new components are written in memory-safer Rust, C/C++ code is expected to remain in the browser. RLBox will make it easier to isolate chunks of code in a more granular way that wasn’t possible with process-level sandboxing.
Firefox already runs each site in its own process. However, hackers can still chain together two vulnerabilities to, for example, escape the sandbox.
“This is where RLBox comes in. Rather than hoisting the code into a separate process, we instead compile it into WebAssembly and then compile that WebAssembly into native code. This doesn’t result in us shipping any .wasm files in Firefox, since the WebAssembly step is only an intermediate representation in our build process,” Mozilla explains.
RLBox should also help respond to software supply chain attacks and the need to rush out patches for issued disclosed by upstream projects.
RLBox sandboxing uses WebAssembly (Wasm), allowing it to compile modules to WebAssembly and then compile Wasm to native code using the wasm2c compiler, according to Shravan Narayan, the UC San Diego computer science PhD student leading the project.
“By compiling to Wasm before native code, we get sandboxing for free: We can ensure that all memory access and control flow will be instrumented to be confined to the module boundary,” said Narayan.
Security
Hackers are using new malware which hides between blocks of junk code
Crooks are selling access to hacked networks. Ransomware gangs are their biggest customers
Here’s the perfect gift to protect anyone with a computer
These researchers wanted to test cloud security. They were shocked by what they found
Hackers are turning to this simple technique to install their malware on PCs
Hit by ransomware? Don’t make this first obvious mistake
Cloud
|
Big Data Analytics
|
Innovation
|
Tech and Work
|
Collaboration
|
Developer