Tuesday, October 9, 2007

A simple trick to improve Firefox security

Firefox can run with add-ons disabled and what not, but if you run Firefox under Gentoo Linux, using the hardened profile, you can use a simple trick to have two different instances of Firefox available, with different enforcement of memory permissions and the usual PaX features:

PaX features disabled via PT_PAX_FLAGS, will allow most plugins to run without issues (although, for example acroread will require specific permissions on its own binary to run):

paxctl -pemrxs /usr/lib/mozilla-firefox/firefox-bin

Recommended settings (that might slow down Firefox in some systems, with noticeable overhead when there's a heavy use of Javascript or AJAX functionality):

paxctl -PEmRXs /usr/lib/mozilla-firefox/firefox-bin

For Acrobat Reader (only Address Space Layout Randomization -ASLR- can be enabled without affecting the functionality, blame the poorly compiled binary):

paxctl -pemRXs /opt/Acrobat7/Reader/intellinux/bin/acroread

You should try to use a different PDF application anyway, if you really trust any of them :)

Description of the PT_PAX_FLAGS flags:

PaX control v0.4
Copyright 2004,2005,2006 PaX Team

usage: paxctl

-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC

-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
-C: create PT_PAX_FLAGS (see manpage!)

Simply copy the firefox-bin binary to firefox-secure and apply the different flags as necessary.