Media ZDNet reported that Mozilla had just delivered an RLBox sandbox system update to Linux and Mac users and could be enjoyed by upgrading to the Firefox 74/75 version for both platforms. As a widely used technique, sandboxes prevent malicious code from escaping from specific applications and executing at the system level. Firefox’s new RLBox allows it to separate third-party libraries from the application’s code to create a more secure environment.
Infographic (from: Mozilla)
RLBox is an innovative project designed to take the safety of sandboxes to the next level. Instead of isolating the application from the underlying operating system, it separates the internal components of the application (i.e., third-party libraries) from the application’s core engine.
RLBox will be available to Firefox browser users next month, a technology that prevents errors and vulnerabilities found in third-party libraries from affecting another project that uses the library.
The work, which dates back to 2019, is part of a joint effort by the browser developer with academics at the University of California, San Diego, the University of Texas at Austin, and Stanford University.
Mozilla is scheduled to be introduced in Firefox 74 for Linux platforms in March and Firefox 75 for Mac platforms in April.
Initially, the development team put Firefox’s Graphite font library into the RLBox sandbox to run. Future plans include putting other Firefox components into the RLBox sandbox environment and expanding to other platforms, such as Windows.
It should be noted that RLBox is not exclusive to Mozilla Firefox because it is only the first application item to be adopted. In fact, RLBox is also compatible with a common framework for a variety of applications.
The document indicates that RLBox consists of two parts. (1) is a WebAssembly-based sandbox environment, and (2) is a programming API that developers can use to adapt RLBox to other applications and older versions.
The researchers say RLBox’s WebAssembly sandbox environment is based primarily on the Lucet open source WebAssembly compiler and runtime developed by Fastly.
Mozilla Chief Engineer Bobby Holley says it’s important to add RLBox support to Firefox. But their main job includes adapting the sandbox and adding a generic API.
Developers can transform existing projects, most of which have millions of lines of code and dozens of third-party libraries, and are not the same.
Holley adds: “Safety is our headlamp, after all, it’s easy to make dangerous mistakes in a C/C?environment.”
Mozilla has long struggled to get rid of C and C. As a founder and major supporter of Rust, the browser developer clearly wants the language to be a safe alternative to the former.
Rust is used for the first time in Firefox, and Mozilla is currently writing a lot of new code through Rust. Unfortunately, Firefox’s historical code base is so large that it can’t completely say goodbye to C/C? in the short term.