Stanford University Researchers, University of California in san diego y la University of Texas in Austin They have developed a set of tools that they gave the name of "RLBox", which can be used as an additional level of insulation to block vulnerabilities in function libraries.
RLBox aims to solve the security problem of third-party libraries untrusted that are not controlled by the developers, but vulnerabilities in which the main project could compromise.
Mozilla plans to use RLBox in Firefox 74 builds for Linux and the compilations of macOS in Firefox 75 to isolate the execution of the Graphite library, which is responsible for representing the sources.
At the same time, RLBox is not specific to Firefox and can be used to isolate any library in arbitrary projects.
About RLBox
The operating mechanism RLBox boils down to compiling C / C ++ code from isolated library into intermediate WebAssembly code low-level, which is then issued as a WebAssembly module, whose authority is set to bind only to this module (for example, a library for processing strings cannot open a socket or network file) C / C ++ code conversion a WebAssembly is done using wasi-sdk.
For direct execution, the WebAssembly module is compiled into machine code using the Lucet compiler and it runs in a "nanoprocess" separate from the rest of the application's memory. The Lucet compiler is based on the same code as the Cranelift JIT engine used in Firefox to run WebAssembly.
The assembled module works in a separate memory area and it does not have access to the rest of the address space. In the case of exploiting the vulnerability in the library, the attacker will be limited and will not be able to access the memory areas of the main process or transfer control outside the sandbox.
A high-level API is provided for developers, which allows you to call library functions in isolation mode.
The WebAssembly controllers require almost no additional resources and interacting with them is not much slower than calling ordinary functions (library functions are executed in the form of native code, and overload occurs only when copying and checking data in the process of interacting with sandbox) .
The functions of an isolated library cannot be invoked directly, and to access them, you must use the layer invoke_sandbox_function().
In turn, if they need to call external functions from the library, these functions must be explicitly defined using the register_callback method (by default, RLBox provides access to standard library functions).
To ensure safe memory operation, isolating code execution is not enough and also you need to provide verification of the returned data streams.
Values generated in an isolated environment are marked as unreliable, limited by tainted tags, and require verification and copy to application memory for "cleanup".
Without cleaning, an attempt to use polluted data in a context that requires regular data (and vice versa) leads to the generation of errors at the compilation stage.
Small function arguments, return values, and structures are passed by copying between process memory and sandbox memory. For large data sets, memory is allocated in an isolated environment and a direct "sandbox reference" pointer is returned to the main process.
RLBox developments are distributed under the MIT license. RLBox currently supports Linux and macOS and is expected to be compatible with Windows later.
If you want to know more about this new technology that Mozilla plans to implement in Firefox, you can consult its development as well as test the API In the following link.