Strange Loop Conference | "Don't Get Owned by Your Dependencies" by Shravan Narayan (Strange Loop 2022) @StrangeLoopConf | Uploaded October 2022 | Updated October 2024, 1 week ago.
Memory safety vulnerabilities in third party C libraries are a major source of zero-day attacks in today's applications. Several years ago our team began exploring a new approach to mitigate these attacks in Firefox, which relies on third party libraries for everything from media rendering to spell checking.
To accomplish this, we began migrating Firefox to an architecture where these libraries are run in lightweight in-memory sandboxes (based on WebAssembly). Firefox has been shipping with this new architecture since 2020.
In this talk, we discuss the key challenges we faced, such as: ensuring efficient sandboxing, retrofitting sandboxing without changing libraries, and most importantly, modifying applications originally written to trust libraries to be secure against attacks from (sandboxed) libraries. We will talk about RLBox, a new open source C++ framework that we developed to meet these challenges. We share some examples of our own experience applying RLBox in Firefox.
Shravan Narayan
Ph.D student, UC San Diego
@ShrNarayan
Shravan Narayan is a PhD candidate at UC San Diego, advised by Deian Stefan. His research interests span security and systems. He is particularly interested in retrofitting security in large real-world systems like browsers. Shravan and his collaborators have won the Distinguished Paper Award at USENIX Security 2020, received an honorable mention at the NSA Best Scientific Cybersecurity Paper Competition, and won the applied research competition at CSAW 2020. His work is deployed in multiple real systems, including the Firefox browser.
------ Sponsored by: ------
Stream is the # 1 Chat API for custom messaging apps. Activate your free 30-day trial to explore Stream Chat. gstrm.io/tsl
Memory safety vulnerabilities in third party C libraries are a major source of zero-day attacks in today's applications. Several years ago our team began exploring a new approach to mitigate these attacks in Firefox, which relies on third party libraries for everything from media rendering to spell checking.
To accomplish this, we began migrating Firefox to an architecture where these libraries are run in lightweight in-memory sandboxes (based on WebAssembly). Firefox has been shipping with this new architecture since 2020.
In this talk, we discuss the key challenges we faced, such as: ensuring efficient sandboxing, retrofitting sandboxing without changing libraries, and most importantly, modifying applications originally written to trust libraries to be secure against attacks from (sandboxed) libraries. We will talk about RLBox, a new open source C++ framework that we developed to meet these challenges. We share some examples of our own experience applying RLBox in Firefox.
Shravan Narayan
Ph.D student, UC San Diego
@ShrNarayan
Shravan Narayan is a PhD candidate at UC San Diego, advised by Deian Stefan. His research interests span security and systems. He is particularly interested in retrofitting security in large real-world systems like browsers. Shravan and his collaborators have won the Distinguished Paper Award at USENIX Security 2020, received an honorable mention at the NSA Best Scientific Cybersecurity Paper Competition, and won the applied research competition at CSAW 2020. His work is deployed in multiple real systems, including the Firefox browser.
------ Sponsored by: ------
Stream is the # 1 Chat API for custom messaging apps. Activate your free 30-day trial to explore Stream Chat. gstrm.io/tsl
