On Thu, Jul 12, 2018 at 11:25 AM, Karl Tomlinson <mozn...@karlt.net> wrote:
> Would it be easier to answer the opposite question? What should > not run in a shared process? JS is a given. Others? > Currently when an exploitable bug is found in content process code, attackers use JS to weaponize it with an arsenal of known techniques (e.g. heap spraying and shaping). An important question is whether, assuming a similar bug were found in a shared non-content process, how difficult would it be for content JS to apply those techniques remotely across the process boundary? That would be a pretty interesting problem for security researchers to work on. Use of system font, graphics, or audio servers is in a similar bucket I > guess. > Taking control of an audio server would let you listen into phone calls, which seems interesting. Another question is whether you can exfiltrate cross-origin data by performing side-channel attacks against those shared processes. You probably need to assume that Spectre-ish attacks will be blocked at process boundaries by hardware/OS mitigations, but there could be browser-implementation-specific timing attacks etc. E.g. do IPDL IDs exposed to content processes leak useful information about the activities of other processes? Of course there are cross-origin timing-based information leaks that are already known and somewhat unfixable :-(. Rob -- Su ot deraeppa sah dna Rehtaf eht htiw saw hcihw, efil lanrete eht uoy ot mialcorp ew dna, ti ot yfitset dna ti nees evah ew; deraeppa efil eht. Efil fo Drow eht gninrecnoc mialcorp ew siht - dehcuot evah sdnah ruo dna ta dekool evah ew hcihw, seye ruo htiw nees evah ew hcihw, draeh evah ew hcihw, gninnigeb eht morf saw hcihw taht. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
