Why hasn't Mozilla developed a Chrome-like sandbox for Firefox?

This has been on my mind lately. The Chrome sandbox is a major selling point, given the widespread nature of browser-based malware. In Chrome, each tab is its own process and a compromised tab cannot access the other tabs. In Firefox, if one tab is compromised, then everything is compromised.

Granted, the Chrome sandbox is not 100% bulletproof. There have been some exploits. Overall, though, it's rock solid. It's a major selling point of Chrome and I just don't get why Mozilla seems to show no interest in catching up in that regard.

 

It would require a rewrite/ major change in Firefox architecture.

 

I think Mozilla are more likely going to develop a totally new rendering engine.

 

That's really a shame. These days, with both IE and Chrome both utilizing strong sandboxing, Firefox will inevitably fall behind in a big way.

 

No need to worry about a sandbox in Firefox if you use NoScript plugin, although sandboxed renderers would be nice.

 

Sandbox is much more convenient than NoScript since you don't have to selectively allow/disallow things.

Also, I believe it's a much more secure option. NoScript is nice, yes. However, when a trusted website gets hacked, and you allow scripts there, you'll be running malware outside a sandbox, directly in your OS.

 

Convenient maybe, but from my vantage point less secure. Sandboxing provides a false sense of security. The user should be engaged in protecting their system, and plug-ins like NoScript provide a much needed push to illiterate and disengaged users. Marketing security solutions to low-brow users is why phishing and other such tactics are prevalent/successful. The public doesn't care how it works ... they just want it to work.

 

NoScript is certainly safer than a sandbox, because Chromium sandbox can be exploited. Ok, but what I said remains: suppose you have a rule to allow scripts in a site you trust. So what happens when that site gets hacked? In that case a sandbox could help.

One way is to run FF in a sandboxed environment, e.g. using Sandboxie.

 

Firefox has sort of done this. I believe starting with v3.6 they run plugins in a seperate process. But they do this for stability, not security.

All this buys you is that if a plugin misbehaves and crashes, you just lose the plugin, not the entire browser. But if a plugin was exploited, there is nothing stopping it from infecting your system like a sandbox would.

 

Ultimately having both is ideal. Unfortunately Chrome's long undeveloped script control extension is inferior to Firefox'. Chrome will hopefully someday get something on par with NoScript and Firefox will hopefully get sandboxing for its browsing processes.

One just has to realize it's a multi-stage infection process. If you stop the script you stop the malicious payload. If you don't stop the script, an anti-executable can stop the payload. Even if the payload writes to disk, it does no harm unless it can run.

 

I agree that a layered approach is better, but this discussion seems moot when you consider this scenario. Even with the added protection of a sandbox, the website visitor is still susceptible to other attack vectors. Some of which are critical enough that neither the plug-in or the built-in sandbox offer that much protection. One could argue for instance that if the user installs a malicious agent manually and allows it to run then neither the plug-in nor the browser's sandbox did anything to protect the user. Sure the plug-in blocked the drive-by download or the sandbox trapped it. But it's game over. Such scenarios lead to hasty generalizations. Hence why this type of discussion could go in circles. NoScript provides just one layer of protection. As does a sandbox. I would also like to point out that the browser's built-in sandbox is not the same as a standalone application such as Sandboxie. While both applications protect the browser, they take different approaches. Each approach is susceptible to different attack vectors, so there is no real comparison. My point is that, a layered approach is necessary, but any plug-in or application we rely on should openly engage the user. For as you said, what happens when conditions change and that plug-in or application is exploited. We have brains ... I don't think it would hurt us to engage them more frequently. Just my two cents.

 

Absolutely

 

I'm no expert on Chrome, but it runs its renderers at "untrusted" il (integrity level) so this means any malicious process is forced to this level, meaning they can't touch anything outside the browser because they run at higher il, especially the critical O/S processes running at "system" il. However, I checked moments ago and see it runs even its own Flash dll's (pepperflash) at medium il.

 

We are not discussing an infected system, which is insecure by definition. Of course any security layer can be overcome. Also I never said browsers built-in sandboxes are the same as standalone sandboxes. I'm glad to hear you have a brain too, but maybe you should take your own advice more often...

 

Jaspion, you've misunderstood my post. I do agree with you that a sandbox in conjunction with NoScript is good idea for implementing a layered approached. However, the scenario you provided is too generalized to adequate support your argument. Generalizations lead to erroneous presumptions by both the author and his/her intended audience. In this instance, you've given valid advise, but your argument leads to an erroneous conclusion that sandboxing can help.

Let's consider your scenario, a trusted website is hacked. That's a lot of attack vectors to worry about. What security application or plug-in wouldn't fail this test? Honestly. Now, the author presumes the user has set permissions for trusted sites. Okay so the target audience is novice NoScript users that utilize default configuration. Author's question: "What happens?" The anticipated answer to this setup is that NoScript is now essentially useless. Ahh a solution: "adding a sandbox could help". Erroneous logic, give the undefined attack vectors this plug-in and sandbox are presumably facing.

I provided a more refined scenario for your review. Which I presumed could happen given your scenario. Got me making presumptions now (that humor, your suppose to laugh). The user visits the hacked (trusted) website. They proceed to use the site oblivious to what has happened. They proceed to engage in activities (I could have left multiple attack vectors, but choose (one) manual download). I can conclude then that NoScript and the sandbox would be useless given that the user is permitting the download and authorizes it to run on their system. Btw, your last remark made me laugh. I like blunt retort.

Correct, the malicious process is stopped. The example I provided is a manual download by the user themselves, not a malicious script running when you load the webpage. I click link A to download Song A. Hacker swaps Song A for Song B (we don't know how much the hacker controls on website), I permit it to be placed on my computer. Now Chrome has no say in the matter and my system is infected. Of course this was built off the presumptions taken from the previous what if scenario. I agree with Jaspion that the combination of sandbox and NoScript would be a good idea because of such a scenario. I can visit a compromised website and if NoScript stops working for whatever reason. I have a sandbox in which to manually download and test content. It was also not my intent to suggest the author was stupid and though browser sandboxes = sandboxie. I was merely clarifying that detail for any new wilders members/guests.

 

I would say it is entirely the opposite. Paper after paper has shown user education doesn't work, various papers have given excellent explanations why. Years of users using "ninja" as their password despite years of users having their passwords compromised, and you want to get users MORE involved in security? No, the sandbox is strong for exactly those reasons you mention - it is silent.

Phishing tactics work because right now the vast majority of protection is click-through or otherwise based on user interaction.

NoScript and Sandboxing work on a similar concept but in to provide protection against completely different attacks. NoScript is best for protecting against web-based attacks. Sandboxes are best for protecting against exploits/ attacks attempting to exploit the system.

Let's remember the Adobe Reader attack didn't require JavaScript. And Scriptless attacks aren't so foreign an idea anymore:
https://www.hgi.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf

As has been said, ideally we'll see both.

 

I think you misunderstood what I was saying. I never went into the scenario you created. I was only considering visiting websites, not running downloaded files. My assumption was indeed that if your browser is sandboxed, and your system not infected, then a malicious website or hacked website turned malicious could be stopped from doing harm when scripts are allowed to run.

 

IMHO Firefox is going backwards, Chrome has taken the place of the best and safest browser. Besides No-Script can anyone name one good feature of Firefox? Thought not.

Sadly Firefox has become easy play for stuff like the Blacksmoke & Citidel exploit kits. It's really lacking in security these days.

 

Does this count for anything?

 

Really open development, extensive APIs for extensions, extension vetting, a fair amount of other stuff.

 

Extension vetting, the one thing Chrome has never even attempted to do properly.

 

Unfortunately. If you go to Chrome Web Store and search for adblock, you'll get a few results that are nothing but dubious rip-offs of other two popular adblocking extensions. I haven't downloaded them, so I don't what else they're hiding, but it's quite upsetting that this kind of situation happens, and Google seems to blindly allow it.

Restricting extensions to be installed only from Chrome Web Store, in a direct way, creates a false sense of security, IMHO.

 

Yeah, there is a ton of crap in the Web Store. There is at Mozilla too, but at least they look at the stuff first. I'm not sure what it will take for them to straighten up and fly right. Chrome also has a boatload of really suspicious looking Apps.

 

Yes, I remember downloading an extension for Firefox (I think one to darken Youtube page), which tried to connect to quite a few domains. And, it's under GPL license, so...

Bottom line is: One needs to be careful, regardless of who develops and who stores.

There's even a famous Firefox extension, already named in this very same thread, that already went to the darkside once.

We can't even trust Santa... that's life.

 

Precisely Chrome has the upper hand on some things at the moment (such as sandboxing) but so does Firefox.

I understand the frustration some users have seeing a browser not implementing features that they want/need; especially if it's available in other browser(s). I have a list of things which I find lacking in Chrome and Firefox. It's the main reason why I use them both.