Image: Mozilla

Mozilla will add a new security sandbox system to Firefox on Linux and Firefox on Mac.

The new technology, named RLBox, works by separating third-party libraries from an app's native code.

This process is called "sandboxing," and is a widely used technique that can prevent malicious code from escaping from within an app and executing at the OS level.

RLBox is an innovative project because it takes sandboxing to the next level. Instead of isolating the app from the underlying operating system, RLBox separates an app's internal components -- namely its third-party libraries -- from the app's core engine.

This technique prevents bugs and exploits found inside a third-party library from impacting another project that uses the same library.

RLBox to ship with Firefox browsers next month

Work on RLBox began last year, in 2019. This new security sandbox model was developed as part of a joint effort between Mozilla and academics from the University of California San Diego, the University of Texas at Austin, and Stanford University.

RLBox will see its first deployment in Firefox 74 for Linux, set to be released next month, in early March.

In April, RLBox will also ship for Firefox 75 for Mac.

For its initial deployment, Mozilla developers have put Firefox's Graphite font library inside an RLBox sandbox.

Future plans include putting other Firefox components inside their own RLBox sandbox environment, but also expanding the project to other platforms, such as Windows.

Can be used with other apps

However, while Mozilla was heavily involved with the project and Firefox will be the first app to use it, RLBox is actually a generic framework that can be used with any application.

According to the project's documentation page, RLBox consists of two parts: (1) a WebAssembly-based sandbox environment and (2) a programmatic API that developers can use to adapt RLBox to other applications and their older versions.

Researchers say that RLBox's WebAssembly sandbox environment was primarily based on Lucet, which is an open-source WebAssembly compiler and runtime developed by Fastly.

However, an important part of their work was also adapting this sandbox and adding an universal API so RLBox could be retrofitted with existing projects, most of which feature millions of lines of code and tens third-party libraries, all different from one another.

Mozilla: "This is a big deal"

"This is a big deal," said Bobby Holley, principal engineer at Mozilla, referring to Firefox adding RLBox support.

"Security is a top priority for us, and it's just too easy to make dangerous mistakes in C/C++," Holley added, referring to the well-known security bugs that coding in C and C++ often generates, even by accident.

Efforts to move away from C and C++ have been going on at Mozilla for quite a while now. Mozilla was the founder and is the primary backer of Rust, a programming language developed as a safer replacement for C and C++, which also saw its first real-world use inside Firefox.

"We're writing a lot of new code in Rust, but Firefox is a huge codebase with millions of lines of C/C++ that aren't going away any time soon," Holley added.

"RLBox makes it quick and easy to isolate existing chunks of code at a granularity that hasn't been possible with the process-level sandboxing used in browsers today."

Mozilla developers plan to publish a blog post on the Mozilla Hacks blog later today containing a detailed technical write-up on RLBox's features and mode of operation.

In addition, the academic team behind RLBox also plans to publish a study on RLBox's performance impact and other benefits. The study, entitled "Retrofitting Fine Grain Isolation in the Firefox Renderer," will also be presented in the proceedings of the USENIX Security Symposium in March.

It is worth mentioning that Firefox was already running inside a sandbox, separating the browser from the underlying OS. Furthermore, Firefox's sandboxing system was also isolating different internal Firefox processes from one anther. RLBox will work on top of these sandboxing protections, as an added layer of protection, by isolating libraries from the Firefox core.