Benjamin Smedberg: > On 5/22/2014 6:51 AM, Mike Perry wrote: > > > >Hrm.. What is the nature of the barrier between the $EVILBLOB and the > >CRM host, then? > > There are two processes, the Firefox process and the > Adobe-EME-plugin process. Both processes run Mozilla binaries. Let's > presume for the moment that those are called firefox.exe and > plugin-container.exe. > > When the user requests DRM activation, firefox.exe will set up > launching plugin-container.exe in a sandbox. This sandbox does not > have access to most OS APIs, including any networking or filesystem > APIs. The only data that the sandbox has is whatever firefox.exe > gives it access to via known pipes. > > plugin-container.exe then loads the Adobe DRM DLL and feeds it the > data as requested by firefox.exe and sends the information back to > firefox over the pipes. > > The Adobe DLL is free to poke around and check for instance that > plugin-container.exe is a binary that it expects before proceeding. > But it can't go to the network or the filesystem or store any > persistent identifiers because it doesn't have access to those > oscalls.
I am confused by trying to reconcile this description with Henri's earlier statement that the CDM Host is a Firefox-provided, authenticated executable that extracts device-identifying information, and only allows $EVILBLOB to obtain a salted, hashed derivative of this information. Based on the combination of your and Henri's statements, it sounds like the CDM Host (plugin-container.exe) process is still allowed a large degree of access to OS APIs/interfaces in order to extract device-identifying information. Unless these privileges are subsequently dropped by plugin-container.exe after extracting this information but *before* executing any $EVILBLOB code, then if $EVILBLOB is exploited, it will still access these APIs, which it may be able to use to break out of the sandbox, or at least to directly obtain device-identifying information for its own purposes. In other words, $EVILBLOB does not truly have least privilege under this model. Is Adobe/Hollywood against letting $EVILBLOB run in NaCl/asm.js or similar restricted VM? Or is this just a significant engineering effort? -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
