 Je suis heureux d'être ici, ce n'est pas facile de venir, le trac français et tout. Donc, ce truc va être en train de tainer les folks. Le titre ne signifie pas beaucoup, mais la taining était pour le premier nom d'un C-Score et d'un BSE, qui a été tainé avant, qui a été plage, et le fox est, bien sûr, un fox, vous pouvez le voir. Donc, avec ce gars, je suis un gars français, vivant dans le centre de la France, loin de Paris. Pour le travail, j'ai travaillé dans le field GIS. Tout ce qui concerne l'aéroport, l'information catastrophique, les databases de GIS. J'ai travaillé sur les portes de BSE depuis longtemps. J'ai été en train de racheter sur le fox depuis longtemps, depuis longtemps, j'ai été en train de contrôler sur le XFC, l'environnement desktop depuis toujours. Au final, bien sûr, quand vous commencez à racheter sur les choses, vous end up being the maintainer for the ports. Et la même chose, je suis devenu de facto maintainer for the geographic director in the port street since forever too. Donc, le sujet du jour, 5 ans auparavant, j'ai fait une présentation à Paris et dans la ferme, il y avait des slides. Oui, peut-être qu'il y aurait quelque chose avec le plage, qui n'était pas à l'époque dans l'opinion de la BSE. Et je pense que le plage et l'envers des semantiques n'étaient pas concrètement finis. À l'époque, WebRTC était aussi un challenge, parce que le travail de WebRTC en BSE n'était pas donné. Donc j'ai juste essayé. C'était facile au début d'écrire un code, essayer de savoir où l'on met. Il a pris quelques années pour y arriver, mais maintenant, c'est gratuit. Bien sûr, à l'époque, j'étais déjà confiné et je savais que c'était le code base de Firefox. Mais c'est encore énorme. Pour ça, il y a un ami, qui est SearchFox, qui vous permet d'assurer et de trouver tout dans le code. C'est vraiment bien fait. C'était vraiment une grande aide. Donc, en parlant de Firefox sur la BSE, nous avons maintenant 4 portes principales. La ligne principale de Firefox, c'est la dernière version. La prochaine version est en 2 jours. Nous avons aussi un branch de Firefox ESR. C'est la même chose. Nous avons été en train d'assurer et d'assurer sans des problèmes depuis plusieurs années. Le Thunderbird 2, qui est aussi de la Galaxie Mozilla. Ce n'est pas bénéficiant de la plage et de l'envers. Parce que maintenant, il y a encore un processus monstère. Mais on va revenir à ça. Il y a aussi un tourbrother dans la portée. Je n'y maintiens pas. Mais on a un développeur qui a été vraiment en train d'assurer depuis quelques années. La plupart des portes sont aussi disponibles en stable. Parce que la plupart des temps, vous pouvez backporter les updates. Excepte quand une nouvelle version de Rust est requérée, une nouvelle version de PLLVM, une nouvelle version de Cibane Gen, et vous devez passer des outils et des outils pour backporter les choses. Mais la plupart des temps, les gens utilisant une version release d'OpenBSD peuvent bénéficier de les updates de la sécurité de Firefox en stable. Nous avons travaillé sur WebRTC. Nous avons utilisé WebRTC pour travailler en Firefox sur OpenBSD pendant des années. La pandémie a aidé les gens à tester ça. Nous avons WebGL. Et nous avons aussi travaillé sur le processus multi-procé. Ce qui a été réalisé à l'extrême. Et nous avons... Nous avons six processus différents. Le principal processus. Le processus de contenu sur Web. Le GPU pour l'interaction avec le carton géographique. Le RDD est pour un écodeur remote. Ce qui signifie que toutes les vidéos, les vidéos d'écoding se passent dans un processus différents. Le processus de circuit est un nouveau. C'est celui qui est supposé faire toute la communication network. Maintenant, l'extrême, c'est seulement utilisé pour les communications WebRTC. Toutes les communications network pour les pages web et les DNS sont toujours dans le processus principal. Et il y a aussi une récente addition de les processus utilisés. Maintenant, c'est seulement utilisé pour l'écoding audio. Donc maintenant, le public général de... Qu'est-ce qui signifie l'écoding? Je ne suis pas un écran de sécurité. Definitement pas. Je suis un des développeurs d'opportunité d'opportunité. Je travaille sur des portes. Je sais le concept général des choses qui se sont développées dans l'opportunité d'opportunité. Mais je ne suis pas si knowledgeable sur tous les détails. Pour moi, c'est l'opportunité. Il y a différents mécanismes qui existent, dépendant des systèmes d'opportunité. Donc, sur OpenBSD, nous avons Plange and Unvale, OnlineX, their second, on3BSD, their skeptical. Langlock, from what I've got, is more or less the same idea as Unvale implemented on OnlineX security modules. Et... Qu'est-ce qu'on veut dire quand on dit quelque chose? In two minutes, we'll limit what a process can do. We'll limit how much resources that is used. What can you see about each other? Like, are you the only one running on this machine or are there neighboring processes? Can you talk with them or not? Are you allowed to talk with them or not? And what can you read and write on the file systems? It might not be a given, but for us, I think the main driver for this unboxing work was we want to prevent a process accessing files that it's not supposed to access for its nominal use. That's something we stress because in its nominal work, a process isn't supposed to access many other files, but if the process gets on for various reasons and you get shell codes and you get remote code execution, of course, an attacker would want to access sensitive files, your SSH keys, your GPG keys, the passwords, your TTC password, keypaces, databases. That's something that isn't supposed to happen in a normal usage, but you never know what a web page can execute on your machine. Of course, inside a browser, there are also many mechanisms to prevent this unwanted access, but those mechanisms can also be worked around and those kinds of things can still happen. So, the idea was to have something else at the operating system level. Of course, there's already some boxing in Firefox, which exists. There's the web page disturbing the work upstream. It's maintained by the Mozilla Foundation on tier 1 platforms. Of course, Linux, macOS, Windows, of course, there are still many users of Firefox. Even most of the people here might use Chrome, but there are still around 10-20% of people using Firefox, to my knowledge. The unboxing on those platforms is done by process type. So, of course, it's closely linked to separating everything from the main process to sub-processes. That's something which has been very hard in the Mozilla community because the code base is more than 20 years old now. It hasn't been written from scratch like Chromium does, which was built from the scratch to be privileged separated and everything. So, that work in Firefox was much more complicated, but slowly, it ended up being separated in many processes and this work is still ongoing. Electrolysis was the original split into many processes and fission is now a work which is supposed to separate the various tabs from your browser sessions so that they don't see each other so that you can't have third party trackers seeing what happens in other tabs, that kind of thing. And so, the sandboxing exists on the maintained platforms by Mozilla. And it's super fine-grained but it's not really easy to grasp and comprehend because there are thousands of lines of code, thousands of lines of configuration and many smart people working on it. This is done with what the operating system is providing to the developers. So, it's built, I think it's well done and the user doesn't see that the process is sandboxed. But still, the browser on those platforms can access any files on the file system which might not be what you want. So, what we have on OpenBSD since 2017, 18, 16, I don't really remember. We have two syscalls. The first one is pledge which says a process has to call this function and say I pledge that I'm not going to use more than those syscalls. The promise concept is that there's a word which means I'm going to use this subset of syscalls. You call it once, you can call it many times but if you call it many times you only have to shrink the amount of promise you're taking. And if you call pledge without any argument, that means you're not going to use any syscalls anymore. You're just going to get killed at some point because you are not allowed to do anything with the kernel which means in the end that's what the sentence comes from the main page. You can only do computation on memory shared by another process because otherwise anything you're doing ends up cutting in the kernel. And if you do something else you get killed. Easy. Straight away you get killed. Unveil on the other side which came after pledge you call it with a path and a mode and it means that you are going to unveil to this process a part of the file system with this mode either write, read, write, create or execute. You can call it as many times as you want and in the end the process will have a view of this part and this part and this part and be able to do writes maybe or only read operations or only execute operations and if you call it with null null it means from that point you're going to run with only what you have and you are not going to get more view of the file system and if you try to access a path and it's not in the unveil list well the system will tell you it doesn't exist or if you have read access and try to write to it it will just say to you you don't have access to the file from that point the question is when do you have to call them in the process lifecycle usually it's most of the processes have initialization part and after that that's the main loop in the case of a daemon so you have to really figure out when is the best place to call those syscalls open everything that you need before and from that point you just pass file descriptors and everything that kind of thing those syscalls are done by process which means you can fork and the new process will also have to decide what it wants to access it's totally declarative you don't do it from outside the process in its code I have to say I know I'm supposed to only use these subsets and those files I need to access those files and something else too a process tells no if it has been pledged or unveiled it doesn't have a way to know am I being sandboxed or not and in that case do something else that's not possible with OpenBSD the system so the pledge the pledge classes as I said those are subsets the first list is an example of the promises used by the main Firefox process as you can see the list is large but in the end it makes sense the main process has to do read and write operations write mostly for the cache the profile that kind of thing it also has to do write operations when you save a file it has to be written somewhere of course it has to do network operations, DNS since it's multiprocess it has to fork exact processes it has to send file descriptors to those sub-processes it also needs PSVM-M4 that's in Firefox we have about processes which shows all the processes used by Firefox with the memory usage if you don't go to that page and you don't have the PS and VM-M4 pledge classes the process will work but as soon as you go to this page it will use those these calls it will get killed so you have to have them by default otherwise you get the browser killed every time and there are many other classes for various details I think I checked yesterday and the TTY class isn't necessary anymore you need video of course if you want to use WebRTC you need to do IOCTL on the video device so the list is huge but those days most of the things happen in the browser of course it has to as many capabilities there are some correct routes, multicast for some specific IOCTLs I won't go into the details but Firefox doesn't use all the pledge classes possible Firefox can't do IOCTL on audio because it uses the SNDI-DIO subsystem that does not need Firefox doesn't change PF rules of course Firefox doesn't write routes to your pudding table so it still has some limitations compared to a process that wouldn't be pledged at all so that's an example of to use and those are small examples of the ports tree other ports where we the ones that are used a lot that we experimented adding pledges depending on what the processes need to do and in the end it was very very simple update icon cache which is something that is run all the time when you install a package it's run every time you install a package which has icons so it's something that might be critical might as well pledge it and figure out it only needs to do this write files more or less desktop file details is a similar example a pdf pdf display application you have sheet loads of those things in pdf those days because they can execute JavaScript everything can happen and in the end new pdf as an example only needs stdio and R path to open the file that you are given on the command line and then it just need stdio anything that's bundled in the pdf file that might be dangerous will end up with the process getting killed instead of the dangerous thing inside the pdf getting executed archivers are also a good target for being pledged because there are many many dangerous things being tried being bundled in the archives those examples are the same you can open the file and then just say I'm going to reduce my periodage because I don't need anything else most of the base demons are pledged most of the utilities are when it makes sense of course that was for pledge now for unveils or other examples I took the same examples update desktop database it just needs to browse all the desktop directories that are where the packages install desktop files and after that you don't need to access anything else if there was a malicious desktop file it couldn't do anything else because it couldn't read anything else shared my mind for the same thing it needs to write in a directory in a single directory in the file system it needs to read the file that's given it doesn't need to know what exists anywhere else GOT which is the Git implementation written in a clean room by Stephane Spierling which is meant for OpenBSD to potentially replace CVS someday it has been written with precept and pledge and unveil from the start so it's a very very good example of how to use unveil and pledge in a program and of course most of the base demons use unveil those days so how does it happen in Firefox for the users well since we have six different processes and we have two types of Cisco's to configure we have two files per process type I decided of the defaults because those are the ones that we have to use and document why do we need these subsets why do we need this directory of course you have comment in the file and those configuration files are samples in ATC Firefox which means that a user can overwrite them and add directories remove a Cisco class, a pledge class if you know that it's not going to use video for example you can remove it from the pledge.main file that also means that if you have some specific use case you can disable those protections if you want to I know of one case which I'll come back later but you're not supposed to do that for your own good those files are read at process startup we'll come back to that later and you have some environment files which are expanded to real paths because the free desktop specifications say that you can overwrite and defaults using those environment variables that's quite simple so far of course the slides will be online just after the talk all the links are pointing to the code inside Firefox if you are interested in finding out how much lines of code it is compared to what is it unboxing on other platforms that's the a short excerpt of the main process as examples it needs to write to the cache directory for all the gif and png files you're seeing on your browsing so it needs write access create access to create subdears of course it needs to same thing access.mosila slash Firefox subdear which means that's where the profiles are it needs read and write access to the graphic card if you want to do graphic operations mostly with GL it needs read and write access if you want to do WebRTC it needs read access to the libraries GTK all those things it needs read and execute access to the install directory of Firefox because since it's going to execute itself for the sub processes it needs to be executed to have the execute writes on this directory on the USRLocal library path there's only read access it can't execute anything in this directory and the last example is you might want to use external main languages to open attachments to open files that you're going to download so you just have to specify manually the path of the binary that you're going to use to open pdf, open images so there are conflicting opinions about this when should we call pledge and unveil a program I've looked at how it has been done in the base demons and base programs and it's easy because that's a code base that you are maintaining that is maintained in the openvc project and you have the full rights of doing anything you want with it and you know it, you've read it many people looked at it and of course it's easy to move chunks of code from one place to another because it makes much more sense to have this thing initialized here instead of late because this way you can remove a pledge promise or you can change an unveil configuration in theory that's how it's done for all the base demons but for a program like Firefox that's not really possible you can't impossible to figure out all the code paths what causes what because this morning there was a slide from Daryl B.T. about the number of lines of code of books and then Linux and then FreeBSD and I think if you look at the size of the source code of a browser it's much higher so it's not possible to understand everything how it works so in the end let's just be humble and just say ok for the other platforms 8 points let's just do something simple and start the sandboxing and configure it at the same place there was a nice idea which was taken from Windows I managed to remove lots of writes from the remote data decoding process by preloading a library it allowed me to remove many many things from the unveil configuration and the pledge configuration for the RDD process because you just preload the library before starting the sandbox and it won't need to access the directory where the library is so in the end I think the remote data decoder process doesn't have access to anything which means it can't read another library and try to exploit another thing in the end it's four functions in the Mozilla code base which are maybe 300 lines at maximum you start the sandbox which means where are my configuration files the default ones or ones that have been potentially modified by the users then you call a pledge and then you unveil with all those configurations and from that point the sandboxing is working for all the processes there's an entry point where the process is the main process same thing you have to read those two files for this process type and the funny thing is I realized 2 weeks ago the official Mozilla documentation which is the last link on the page says if you add a new process type to the Firefox code base which is something that doesn't happen much well you have to add these lines for starting the sandboxing you can do it there's an if, def, open bsd start open bsd sandbox which is nice because I didn't even knew it but if a Mozilla developer would create a new process by default if it takes the code example in the documentation it will add a configuration for open bsd which is quite nice oh it happened well you can't read all the code base for this new process you have no idea which functions are going to be called you just have to examine the process from an outside point of view ktrace is your only friend in this case you figure out ok start the process it gets killed ok ktrace ok try to call this syscall let's add this pledge class ok it goes further then you end up with a subset of classes and of course you will get new crashes because you haven't started unveil ktrace tells you that this file has been opened for read this file has been opened for write so you slowly get the list of paths that this process needs for its nominal usage so repeat until it stops crashing and starts working of course Firefox itself is a huge code base but it also uses existing libraries so you also need to take care about what does gtk does below what does x does below which means you also add to add new syscall classes or paths because gtk uses this file and you don't have the choice of avoiding this access so it takes a lot of time to figure out all the details Contrary to Chromium the Mozilla Foundation is very welcoming to other operating systems for us the BSDs we are let's say TR3 which means they don't spend much time on it but if you try to push things they will welcome it but you just need to use bugzilla and talk to the Mozilla developers responsible for those specific areas and they are welcoming ideas they are quite helpful on how to write your code and that's the short list well actually that's the half of the bugs that were about upstreaming all the modifications we had over time the numbers on the right are the version of Firefox in which the code landed between the original pledge implementation was in 63 so 2018 and over time at the start it was about config keys to configure pledge in its early days then it moved to configuration files because about config keys have an issue something can eventually modify them so if the process can modify the config keys of course it can give itself more rights so uploading that to a configuration file which isn't modifiable but anyone but root makes it a title so that's the first part the second part you can see from the titles what were the bugs that were created regressions or what were the additions to modify the sandboxing for OpenBSD inside the Mozilla codebase the last one is a bit painful for me because I spent quite some time recently to try to remove a pledge class because it was calling a cctl that I thought maybe I can just cache the value at the start and return it for all the next calls and in the end I just figured out ok when I was testing I just forgot to remove the class from the configuration files so testing showed that it worked but in the end when I removed the class from the configuration it just crashed because of course another path in the codebase was calling a different cctl but which was still prevented by pledge so it's a lot of work I'm all trying to find for what does it mean for the end users it doesn't see the user doesn't see much because it's transparent the only thing that is user visible by default the browser can only write to tmp and home slash downloads which means on OpenBSD if you use Firefox the browser can't access your own directory sensitive personal files SSH keys and everything it has a drawback since it's only downloads if you want to upload things well you have to put them to downloads or well you can add new paths to the unveil configuration but you're not supposed to add your home directory because it would defeat the idea of not allowing the browser to access all your files there's one gotcha if you want to use the screen sharing you need to disable pledge on the main process because it uses SSHM gate which doesn't have any pledge class for now and I'm pretty sure it won't happen there's an open bug about using ximage instead but I don't really remember the details just file the bug as a reminder to try to figure out something that avoids using this SQL which again would improve the security of this part of the process and as I said the user needs to add all the mime anglers he wants to use to open files in my case I use something to open archives in graphical application an image viewer and of course LibreOffice for all your office documents but that's all you need to open files externally from the browser in the end over those years I'm pretty happy of what's what's been done because I have much much better understanding of what's needed by all processes all of them need STDIOs and if they receive FD of course there's multi process involved you can't do much without those syscalls classes the main process and the content process still have access to many directories and many syscalls because as I said the codebase is old it uses external libraries it doesn't work with sandboxing from the start I'm pretty sure it won't be possible to reach the level of sandboxing that is used right now in chromium because since it was done from the start with sandboxing in mind those ideas were done correctly from the start the remote data decoder process only needs to access slash tmp all the files the socket process only does inet and dns and it doesn't have access to the file system it doesn't need access to the file system that's one less thing to worry about the audio decoder process needs protexec is a syscalls class to say you're going to use mmap and make that memory region executable I'm pretty sure that's only needed because some libraries that are used by this process to decode audio need to execute something and that's something which is outside of airfox you can't have control on all the libraries which are used by the browser the GPU process it was a sandbox from the start but right now I don't really know if it's still in use by the browser because you also have to play catch up with the upstream developers enabling or disabling the GPU process by default for all platforms for one platform because it started working on windows and then on linux and then it's been disabled because something changed about Wayland you need to play catch up all the time to figure out if the things that were true 3 years ago are still true right now there's an interesting issue about the unveil implementation right now which is a directory doesn't exist and if you unveil it with read write and create capabilities the directory will be created if the code creates it but the next calls won't be able to read it that's a bit counter-intuitive but it makes sense when you look at the implementation because it's done based on the internals on the first layer which does the mapping between a path and an inode but it's annoying because as a user, if you have a new user and you start firefox with a default configuration you have a new user home-downloads doesn't exist so you start the browser it creates a directory when you want to download something but then it will say I failed to download it because it managed to create the directory but since it was unveiled before being created it won't be able to write to it so you need to exit the browser and then restart it but then from that point the directory exists so it just works but that's part of the little queries that are documented in the package with me and as I said everything might be revisited after each upgrade that's something that is not really possible to do, I try to do it once every six months start from the from an empty configuration and try to figure out if you can tighten all the rules that you had or for some cases if you need to add more paths or more cisco classes so that's coming to the end by default it's been enabled in the port street since firefox 60 so I'm pretty sure you know it but in OpenBSD security is enabled by default everywhere so it's in the default configuration everything unveil was added in 2019 everything is upstream I I mostly never add patches to the port street which aren't already either committed or tracked upstream being reviewed because otherwise it's a maintenance nightmare I as Marc said for Chromium there are 900 patches in the port street for Firefox there are 5 ou 6 patches maybe because the developers are just welcoming from all the support for other operating systems as soon as you don't try to break everything and you adapt to the rules of the upstream project of course the promises could be seen as wide but as I said it's a huge and old code base so you can't do really what you want upstream is still working to move things to different processes the network communications are slowly moving from the main process to the socket process at some point maybe the main process won't have network access because it won't need to but in the end to do this work it's a bit raw you have a bit of logging but it's very very very tedious and painful that's what I added to the upstream repository you can use some logging which will tell you this process has been started right now so if you start the process and see a crash you can figure out if it was before or after calling unveil if the pass was in the list of the things that were allowed to this process and other than that you can only use Ktrace so you are alone with Ktrace and your computer and your crane because it's somewhat painful on a good note I really liked it because at the beginning people mostly told me yeah it's not possible this codebase is shit all the browsers are shit all the code that's not been written by OpenBSD developer is shit I don't agree with that there are many many many smart people working on many many many projects and there are many many smart people working at Mozilla they have their own views it's interesting to try to show on a huge codebase show on all the OpenBSD view of sandboxing in that monster thank you and as I wanted I have time for questions Do you have a way to almost like run a dry run mode for your sandboxing so that you don't have to debug everything with Ktrace so run things as if everything is enabled but don't actually kill the process and just log the calls that it would make you have one thing in pledge which is you can add the error class in that case I don't remember what it does but the process doesn't get killed but that's not going to be very helpful because in the end you still need to use Ktrace Ktrace is not perfect but it's what gives you the best view of what the different processes do and with Ktrace you can trace all the process I mean the main process and the sub processes and after that it's more or less filtering which processes you're interested in using timing to figure out what is called before this thing but it's really black box debugging but since you have all the source code that's another issue because you have the source code but you can't easily run that huge code base within GDB the Mozilla developers wrote RR which is something which works on many platforms but not I haven't tried to open BSD which is run and replay which is more or less execute a process and then do step by step forward in the process code paths which might be very helpful in this case but other than that you can just say if you have a pledge violation just log an error but that's not much more so yeah Ktrace any further questions yeah you probably won't be surprised à quel point est-ce qu'il y a un plan d'établir le recréateur dans un process de séparation qu'il n'est pas envoyé pour que vous choisissiez d'établir le process vous devez parler de Mozilla d'abord c'est une bonne chose mais sérieusement je ne pense pas que c'est assez facile je sais une chose si l'ID est connu par les développeurs bien sûr nous pouvons l'adapter mais nous ne serons pas les uns qui vaient faire ce effort et je sais que c'est pire d'avoir seulement des homes ou des downloads j'ai été choisi et j'ai utilisé ça de manière sincère parfois vous devez accepter la facture que la sécurité arrive au prix si vous avez une partie de la question est-ce qu'il n'y aura pas seulement un système d'opérating qui a quelque chose comme ça alors que vous pouvez aussi servir vos files et ce n'est pas ça je vais refaire la question pour que l'industrie s'éteigne est-ce qu'on est seulement un système d'opérating et que nous pouvons constater le vu du système de file je pense que les développeurs de Linux travaillent au long terme l'idée est de s'éteindre du processus de toutes les choses qu'il n'a pas besoin donc je pense que le long terme est supposé d'être plus ou moins le même sur Linux mais d'ailleurs l'éteindre sur les autres plateformes depuis que je n'ai pas utilisé les autres plateformes je n'ai pas vraiment expéré quels sont les effets de l'utilisation d'avoir l'éteindre sur Linux d'avoir l'éteindre sur Windows je suis sûr que c'est fait par les développeurs upstream dans un smart way d'éteindre les attaques pour accéder à des files mécaniques mais je ne suis pas sûr d'avoir l'éteindre sur Linux il y a une grande liste de paths donc je suis sûr qu'il n'y a pas de .ssh mais je ne suis pas sûr de ce qui se passe si vous essayez de faire quelque chose d'autre si vous êtes sûr que sur Linux vous pouvez appeler vos keys par le gtk d'éteindre mais c'est quelque chose que vous allez faire comme utilisation je ne sais pas quel path est utilisé si un attaquer s'occupe et essayez de faire des choses smartes avec des codes shell ou des codes rémunérés et tout et essayez d'accepter les mêmes files mais vous devez donner les développeurs créés pour faire des choses smartes toutes les nouvelles releases qui sont utiles fixez toujours les bugs et puisque le code base est huge vous ne pouvez pas fixer tout mais je suis pas sûr que le state est pas si bas mais c'est plus que sur OpenBSD on a fait un autre accès qui est un nom vous ne pouvez pas accéder à quelque chose d'autre ce système ne donnera pas d'accès à des files de sensibilité non merci