1. 41
  1.  

  2. 6

    Any measurements on resource usage? My tab count on Firefox quite often exceeds 100, and with current architecture, the resident memory cost of a processes make up only a small portion of total memory usage. With Chrome, high memory usage is one of the main problems I encountered, so I fear that with this model Firefox might turn that way as well.

    1. 3

      I’ve also got about a 100 tabs open divided over 4 windows. Currently Firefox only has 13 processes running of which 5 are named “FirefoxCP Isolated Web Content” on macOS, so it looks like it only creates processes for recently used tabs.

      1. 2

        IIUC there is a process per domain (ie. not a process per tab, like in Chrome), which should cut down some memory use. But yeah I don’t know much of the specifics.

        1. 3

          it’s process per site

          1. 2

            Because the OS can just swap out the idle ones?

        2. 4

          Wow, pleasantly surprised that Project Fission can now be used outside of Firefox nightly. I have been waiting for years for some privilege separation in Firefox. Hopefully this will be a good start to get to the security level of Chrome as discussed here and here.

          1. 4

            The openbsd discussion is from 2018 has long since been outdated. The other article was discussed (and partially debunked) on lobste.rs a few weeks ago at https://lobste.rs/s/eys36p/firefox_chromium :)

            (Obviously, you’re all allowed to perceive my opinion as heavily biased. I work on Firefox Security.)

            1. 2

              I purpously didn’t link to the discussion on lobste.rs because unfortunately that discussion didn’t focus on privilege separation. I think most points from both the OpenBSD discussion and the other one still stand for Firefox as long as Fission is not enabled (and it’s not enabled by default just yet). Although there is some separation of priviliges in Firefox internal architecture, it never came close to the level in which Chrome separates privileges and uses this to protect one site from another by extensively using security features from the Operating System. I think once Fission is enabled by default, the groundwork is ready to get seriously started to harden each individual process and get on par with Chrome w.r.t. software security. Only then I would say the story can be “debunked”. ;-) Or to repeat Theo de Raadt’s words from 2018:

              It is my understanding that firefox says they are catching [up], but all I see is lipstick on a pig. It now has multiple processes. That does not mean it has a well-designed privsep model. Landry’s attempt to add pledge to firefox, shows that pretty much all processes need all pledges.

              1. 9

                Landry’s attempt to add pledge to firefox, shows that pretty much all processes need all pledges

                And my fully working patch to add Capsicum to Firefox shows that this is a problem with the pledge model, not with Firefox ;)

                never came close to the level in which Chrome separates privileges and uses this to protect one site from another by extensively using security features from the Operating System

                On the mainstream OSes, Firefox literally uses the same Chromium sandbox code to use these platform features, btw.

                1. 5

                  Do you know how it handles setting up the IPC channels? Chromium made a spectacularly bad design choice here: service endpoint capabilities are random identifiers, so any sandboxed process that can guess the name of an endpoint can connect to it. This means that any information leak from a privileged process (including cache side channels from prime-and-probe attacks by the renderer process) has the potential to be a sandbox escape. Every other compartmentalised program that I’ve seen uses file descriptors / handles as channel endpoints and either sets them up at process creation time or has a broker that authorises them based on identity or other attestations.

                  1. 2

                    Firefox does currently use legacy Chromium IPC as a transport. Are you referring to this Windows channel ID thing? This mechanism is not used on posix, it’s all SCM_RIGHTS. That’s really the only usage of randomness I could find in ipc/chromium. Well, also this macOS mach port process launching thing.

                  2. 3

                    Very interesting! I hope to have some time at some point to look into it in more depth. :)

            2. 1

              Little feedback: The images aren’t shown correctly on firefox android. They only show ~half the image as they apparently have a left margin/padding that prevents them from being shown at the correct place. (Try the responsive design mode in developers tools)