Though both features are still some time in the future

Jan 23, 2012 21:21 GMT  ·  By

The move to the new rapid release cycle has definitely spurred new blood into Firefox development. Firefox 10 is around the corner, even as Firefox 4 landed less than a year ago. In that time, the browser has evolved, it's faster, less memory hungry and boasts plenty of new features as well as better support for new web standards.

But there's one department where Firefox may still be a little behind, security. Firefox is not an unsecure browser, compared the other popular browsers, but it is lacking some big features, especially those that Google Chrome, which has become the gold-standard, boasts, notably sandboxing and JIT hardening.

According a recent interview though, Mozilla is working on just those very features, though work is more advanced in some aspects than in others.

A recent report, created by an independent company but paid for by Google, found Firefox to be lacking in a couple of areas in particular.

One of them is Just-in-Time compiling hardening, a relatively new concept. Modern browsers, in order to squeeze the last inch of performance out of JavaScript, compile part of the code and run it in a form closer to native code rather than through a JavaScript interpreter.

This leads to huge performance gains, but it also opens up new avenues for attack, since many times browsers don't employ the same security mechanisms to the memory they allocate to JavaScript than an operating system would.

JIT hardening deals with this very thing, security measures that make it harder for attackers to use JavaScript code to take control over the computer.

"The reality is that the way our JIT engine is built makes it somewhat resilient to JIT Spraying attacks," Johnathan Nightingale, director of Firefox Engineering at Mozilla, said in an interview.

"But there is still work we can do on that class of vulnerability to just get it out of the realm of even the theoretical -- and that work is ongoing," he said.

A second somewhat warranted criticism of Firefox security is the lack of process sandbox. Google Chrome, quite famously, has been built from the start with sandboxing in mind, all processes are isolated from the main system memory, other processes and so on via the sandbox ensuring that, even if something goes wrong, the damage is not that great.

Mozilla is working on this too, though it is still assessing the issue. The fact is, it's quite difficult to bolt on sandboxing to the existing Firefox code and Mozilla is looking at ways to do this or even if it is feasible.

"Sandboxing has some real benefits, but it's not a silver bullet," Nightingale said. "It is something that our platform team is looking at really closely."