Investigating the security of the Firefox OS

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Firefox OS is Mozilla’s foray into the mobile operating system field and promises a more adaptive mobile OS. But as mobile threats, in particular in the Android platform, has gained momentum, the question in everyone’s mind is – how safe is it?

About a month ago, Telefonica announced that it had launched the Firefox OS – Mozilla’s mobile operating system – in Colombia and Venezuela. Separately, ZTE is also selling Firefox OS devices via their eBay store directly to end users.

The Firefox OS uses uses a Linux kernel and boots into a Gecko-based runtime engine, which lets users run apps developed entirely using HTML, JavaScript, and other open web technologies. Overall, Firefox possesses good app permission management, but core processes (with more privileges) may become a target for exploits. In addition, HTML5 features may become sources of potential vulnerabilities.

Firefox OS architecture overview
The Firefox OS has to connect web-based applications to the underlying hardware. It does this using an integrated technology stack consisting of the following levels:

Gonk consists of the Linux kernel, system libraries, firmware, and device drivers.

Gecko is the application runtime layer that provides the framework for app execution, and implements the Web APIs used to access features in the mobile device. Gaia is the suite of web apps that make up the user experience (apps consist of HTML5, CSS, JavaScript, images, media, and so on). The Gecko layer acts as the intermediary between web apps (at the Gaia layer) and the phone. It also enforces permissions and prevents access to unauthorized requests.

Application security
Firefox OS also has its own application layer design. There are three kinds of apps: hosted apps, privileged apps and certified apps.

Hosted apps can be installed from any website, without any further verification. This doesn’t grant the app any additional permissions besides those already exposed to a web site. Privileged apps are allowed to request more permissions, but they must be verified and signed by a Marketplace (i.e., app store). Certified apps, which have the most permissions, can only be pre-installed on the device by the manufacturer.

There is a B2G process in the Gecko layer that has high privileges running in the background, and every app will run in a content process with low authority. Every request to the device asked by an app needs to pass to B2G process first, and the B2G process will check the permissions of the app.

Firefox OS also contains extensive sandboxing. Each app runs in its own worker space and it has access only to the Web APIs and the data it is permitted to access, as well as the resources associated with that worker space (Indexed DB databases, cookies, offline storage, and so on).

In addition, apps communicate only with the B2G process, not with other processes or apps. Apps do not run independently of B2G, nor can apps “open” each other. The only “communication” between apps is indirect, and is mediated by the B2G process.

Exploiting the B2G process
The B2G process is a core process of Firefox OS. It is in the Gecko layer in the Firefox OS technology stack. If this process is exploited, an attacker can obtain high-level privileges (like root access.)

Approximately a month ago, a vulnerability in Firefox 17 was found which could be used to run arbitrary code. We have confirmed that this vulnerability can also cause the B2G process to crash, and that we can also control the IP (Instruction Pointer). This would allow an attacker to run arbitrary code on the device with the privileges of the B2G process.

Mozilla’s documentation itself states the exploitation of B2G process is a possible attack point for Firefox OS. This is because that content process can send dirty data to the B2G process.

HTML5 vulnerabilities
Because the apps for Firefox OS are built using HTML5 apps, we can expect that the HTML5 vulnerabilities will be used to exploit Firefox OS in the future. Independent research has said that HTML5 features can be used to do memory fills for heap sprays.

The HTML5 command Uint8ClampedArray can be used to fill memory with high efficiency and easy to write code. It is easy to find a steady address filled with the payload using Uint8ClampedArray. HTML5 Web workers to fill memory quickly in using multiple threads, reducing the amount of time necessary to fill the memory.

In our previous study of HTML5, we tackled on how this can be abused and can result to various attacks, including spamming, unauthorized bitcoin generation, phishing and a browser-based botnet. Since these HTML5-based attacks will be memory-based, traditional antimalware solutions will be challenging.

Though the Firefox OS may not enjoy the market of the Android OS, the use of HTML5 is gradually gaining traction among users (Amazon also accepts HTML5 for its apps). Thus, regardless of OS, we can expect that as more apps and sites will use HTML5, such attacks will increase in the future.

We believe that Firefox OS will face attack like other mobile OS. The most harmful attack may be exploiting the B2G process. And, resources from browser exploitation would be useful for exploiting Firefox OS because it is Gecko based and its apps are written by HTML5. Users, on the other hand, will benefit from understanding the risks involved in using HTML5 and how they can avoid these.

Update, 26 September 2013: A Mozilla spokesperson comments on this article: “When building Firefox OS we’ve considered a variety of potential attack scenarios and included numerous defenses to protect our users. The theoretical attack described would require additional defense systems to be bypassed. For example, Firefox OS has an additional security barrier between Web content and the core OS, which would stop the attack as described in the article. However, as we always place user security in high regards we are still adding additional security controls such as sandboxing to further protect our users. In addition, the specific vulnerability mentioned has already been patched in the next release of Firefox OS, which is available to OEMs.”