Mozilla Firefox 95 update is being rolled out with a new sandboxing technology called RLBox that is touted to enhance the browser’s protection against malicious code. Mozilla says the new technology makes it easy and efficient to isolate potentially buggy code to make the browser secure so much so that even zero-day vulnerabilities in some cases are claimed to pose no threat to users on Firefox. Additionally, Mozilla has updated its bug bounty programme to pay researchers for bypassing the sandbox.
Sandboxing is a practice that is used to keep potentially malicious code isolated from the rest of the organisation’s environment. As per a blog post by Mozilla, the RLBox sandboxing technique uses WebAssembly to isolate five modules of the Firefox browser. WebAssembly technology enables high-resource apps like games, video, and image editors to run in a browser at speed on par with a local computer. “Going forward, we can treat these modules as untrusted code, and even a zero-day vulnerability in any of them should pose no threat to Firefox,” the company said.
The technology, which has been developed in collaboration with researchers at the University of California San Diego and the University of Texas, is now being released for all supported Firefox platforms (desktop and mobile).
In order to understand how RLBox sandboxing works, we must first understand the nature of threats that are being posed online.
Just like all major Web browsers that run content in their own sandboxed process to plug vulnerabilities, Firefox also isolates each site in its own process for protection. Mozilla says threat actors attack users by chaining together two vulnerabilities — “one to compromise the sandboxed process containing the malicious site and another to escape the sandbox”. To tackle this scare, multi-layer protection is needed.
As mentioned, RLBox sandboxing technology compiles the code into WebAssembly instead of hoisting it into a separate process. It then compiles that WebAssembly into native code allowing Firefox to run trusted and untrusted code in the same process. Mozilla says RLBox helps in sanitising any values that come from the sandbox, resulting in enhanced protection from malicious code.