Embed Size (px)
Citation preview
Hardening WebKit2
Thiago Marcos P. SantosIntel Corporation
2
example.com
Images source: Wikimedia.org
3
example.com
Images source: Wikimedia.org
4
example.com
Images source: Wikimedia.org
5
Trademarks and logos belong to their respective owners.Images source: Wikimedia.org
6
Trademarks and logos belong to their respective owners.
Web
Kit2
7
Trademarks and logos belong to their respective owners.
Linux
8
Trademarks and logos belong to their respective owners.
Tizen
9
Images source: Wikimedia.org
UIProcess WebProcess
IPC
10
UIProcess
WebProcess
IPC
Images source: Wikimedia.org
11
UIProcess
WebProcess
NetworkProcess
IPC IPC
Images source: Wikimedia.org
12
WebProcess
Trademarks and logos belong to their respective owners.Images source: Wikimedia.org
13
WebProcess
Trademarks and logos belong to their respective owners.Images source: Wikimedia.org
14
WebProcess
Trademarks and logos belong to their respective owners.Images source: Wikimedia.org
15
WebProcess
Trademarks and logos belong to their respective owners.
BrokerProcess
IPC
$HOME/.browser/example.com/* (rw)$HOME/.browser/defaults.conf (r)/usr/share/fonts/* (r)/* (not allowed)Images source: Wikimedia.org
16
Seccomp Filters
● Linux Kernel 3.5● Ubuntu 12.04● Whitelist syscalls● Blacklist syscalls● Trap syscalls and inspect its parameters● Make it possible to emulate a syscall● ~370 syscalls: libseccomp for the rescue
17
// Load seccomp filters // Load website
fd = open(path) write(fd, data) // IO close(fd) unlink(path) free(pointer)
WebProcess
Trademarks and logos belong to their respective owners.
// Receive serialized // syscalls
// Execute if allowed
// Send back results
BrokerProcess
IPC
Images source: Wikimedia.org
18
Additional information
● Performance implications● open() ~28x slower● 15.000 open()'s in ~590ms
● Source code# ls Source/WebKit2/Shared/linux/SeccompFilters/*
● How to build# ./Tools/Scripts/build-webkit --efl -2 --seccomp-filters
● Documentationhttp://tinyurl.com/seccompwk2
Questions?
21
UIProcess WebProcess
IPC
Web
Kit
Trademarks and logos belong to their respective owners.Images source: Wikimedia.org
22
UIProcess WebProcess
IPC
Chrom
ium
Trademarks and logos belong to their respective owners.
VirtualPlatform
Images source: Wikimedia.org
23
UIProcess WebProcess
IPC
Trademarks and logos belong to their respective owners.Images source: Wikimedia.org
Web
Kit
24
UIProcess WebProcess
IPC
Trademarks and logos belong to their respective owners.Images source: Wikimedia.org
Chrom
ium
