Security/Sandbox/2018-04-12

Getting MinGW x64 Running
- First: Getting it debuggable with symbols
- Written my own PE Parser.
- Patched and Cross-Compiled gdb x86 and x64
- Have written my own DWARF parser. It has been running for 7 hours. DWARF is horrible. ASN1 looks like CSV next to DWARF.
Timer Intermittents
Followup from a previous bug. I had asked about ways to put in a debugging message; got pointed at NS_WARNING
- Problem: Issue only occurs in opt builds. Is there anything between MOZ_LOG (which would require people to set the correct flag) and MOZ_RELEASE_ASSERT ?

IPC Fuzzer
- bug 1452625 - bumped in-tree copy of libFuzzer (to bring in a change I made upstream)
- bug 1451859 - put WIP patch on phabricator (haven't updated in a week though)
- Fixed file descriptor leak
- Fuzzer doesn't appear to ever make its way into AllocPBrowserParent, trying to figure out why
We now have access to a SQL-for-code tool for doing custom static analysis!
- Used it to find all instance of a bad pattern in our IPC
- lgtm.com
IPC fixes
Filed bug 1453338 - make it possible to implement IPDL protocols in Rust. Don't intend to work on it, but I can dream!

bug 1452090 - Only enable handle verifier on 32-bit Nightly and debug builds
- Landed. No hits yet, might see if release management are receptive to turning it on for EARLY_BETA_OR_EARLIER.
- Tiny follow-up bug 1453639 - Call InitializeHandleVerifier before other sandbox calls.
- Looks like preceding changes, have made a least one sec-bug now a safe crash.
bug 1451376 - Fixed on m-c, beta and esr52.
Canvas remoting.
- Have a grasp on this code now.
- Working on a version that just records in memory and passes whole recording via shmem.
- Will then start looking into streaming the recording as it is records.

…why did the font size in Etherpad change.
The last (I hope?) 60 regressions are uplifted (sudo firefox, Snap vs. network namespace)
To do: write some kind of announcement about the sandbox improvements in 60
Some IPC things that were annoying me:
- bug 1436156 - CHECK() being a warning
- bug 1278361 - double close on EINTR (maybe responsible for the mysterious EOFs)
- bug 1401776 - raise file descriptor limits
- (Because I went searching for "Sandbox: Unexpected EOF" and found some untriaged dups of those last two)
bug 1439057 - Dusting off /dev/shm access changes
- The plan of passing the broker across exec has some issues
- But I have another plan; see my last comment
Reviews.
(Somehow we wound up talking about information-theoretic entropy vs. thermodynamic entropy, and I threatened to go find my undergrad thermodynamics text.)

bug 1395504 - Infinite hang of web content process when parent process crashes
- Root caused to be a breakpad bug
bug 1452278 - [Mac] Make nsOSHelperAppService::GetFromTypeAndExtension() not call OS MIME API's in content
- Looking into moving all Mac MIME-related into parent, making child nsOSHelperAppService generic
#25737 Tor Browser's update check bypassed Tor once on macos, because of xpcproxy?
- https://trac.torproject.org/projects/tor/ticket/25737
Will miss plat integration meeting due to appt.

bug 1366256 - NPAPI sandbox level 3
- Win10 loaners dont grant admin access so no debugger.
bug 1446499 - FunctionHook::HookProtectedMode should be persistent
- uplifted

On win32k lockdown, assuming no major developments, we have separation area pinpointed for canvas and webgl. SHIPIT!
- ballpark time frame for these projects based on what we know now (in quarters)
Itemize performance tests we'll use as release criteria for win32k lockdown
Trade-off decision(s) over the next three quarters: win32k lockdown on Windows vs. mixed hardening work?
- webrenderer will ship in 64 to 4% of release population (assuming it ships on current schedule).
- 66 is the pwn2own 2019 challenge release: 11-26-18 - nightly, 1-7-19 uplift to beta
- when would we enable win32k lockdown on nightly for testing?
- I don't see us shipping this in 66 without pixie dust

Contents