Gecko Script Security
Over the past two decades, the web browser has grown up. What was once a glorified document viewer is now the world's most popular application runtime, and the web platform continues to evolve at a staggering pace. This coming-of-age was not, however, a very pretty process. A number of early design decisions, on both API and implementation levels, have imposed compatibility requirements that make web security a very difficult problem. As the platform matured, increasing performance and security demands began to strain Mozilla's baroque script security architecture. With the 2011 release of Firefox 4, this architecture was overhauled to implement a more capability-based approach. In the new model, objects and scripts are segmented into per-global heaps known as Compartments. Objects may never hold direct cross-compartment references; instead, all cross-compartment access passes through a membrane layer of ES5 proxies that enforces security policy. This model has proved itself to be extremely flexible and efficient. The talk will provide a brief history of script security on the web, chronicle Gecko's evolution, and discuss various features and challenges of the current architecture. Topics include Compartments, Proxies, Performance, Security Vulnerabilities, Principal Computation, Membranes, Property Filtering, Xray Vision, COWs, and Brain Transplants.
Bobby Holley (aka bholley) has been contributing to Mozilla since 2008, and working full-time on the project since 2011. He is the XPConnect module owner, and works primarily on the DOM, the JS Engine, Security Policy, and Deep Magic. He received a BS and MS in Electrical Engineering from Stanford in 2010 and 2011 (respectively). He spent the last year living in France.