Flash Player Protected Mode for Firefox

-


1.  Protected mode的源起
為了避免Flash Player在執行時存取到敏感的資源,並防止攻擊者觸發一些bug傷害系統。故讓Flash Player在受限制的低授權(integrity)環境下運行,該系統先被實作於Adobe Reader X sandbox中。(http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html)
http://blogs.adobe.com/asset/files/2010/10/Sandbox-Diagrams3.png
可以使用一些process監控軟體,可以發現:http://blogs.adobe.com/asset/files/2012/06/three_processes.jpg
Flash player執行在Firefox時,會發現有三個process在運行。
  • “plugin-container.exe.”
    Firefox    plugins接口,當Firefox運行plugins時會使用此獨立的process來執行。 
  • FlashPlayerPlugin – Medium IntegrityBroker process,用來當作sandbox版本的中間版本,sandbox可以在此broker process完整運行它的內容。此架構對於Broker process留有彈性,未來也能調整broker process功能上的限制。   
  • FlashPlayerPlugin – Low Integrity 
    針對需要被限制的功能就會將之隔絕,主要是運作Flash player engineWeb content的呈現。
2. 限制的方式
sandbox的功能被運行於Windows Vista/Windows 7作業系統。
  • Low integrity可以防止存取到寫入到使用者的profile或是registry(這些需要medium integrity權限)
  • Security Identifiers (SIDs)的條件設置更嚴格,關閉繼承於grouppermission
  • Job restrictionrestricting access to USER Handles and Administrator Access避免sandboxes干擾OS,限制只能存取到Parameters, Display Settings, Exit Windows and Desktop
3. 架構
 http://blogs.adobe.com/asset/files/2012/06/FlashPlayer_Sandbox_v2.jpg
OS broker at Medium integrity守護不被信任的sandbox與作業系統間的存取。Sandbox存取必須請求OS broker process的許可來存取敏感的資源檔。Sandbox包括了被定義允許和不允許的規範。此架構確保sandbox不會去直接存取OS而不事先透過broker。

Flash Player sandbox已經在IE, Chrome所實作過,目前在Firefoxsandbox即是Chrome sandbox再添加job limits on process。未來會持續改進,包括Chrome Pepper Flash Player Sandbox

4. 關閉方式
目前在Firefox有時會遇到Youtube影片或是一些Flash內容載入比較慢的問題,大致上都可以透過關閉Protected Mode方式做解決,關閉方式如下:
  • Windows 32bit: C:\Windows\System32\Macromed\Flash
  • Windows 64bit C:\Windows\SysWOW64\Macromed\Flash
mms.cfg加上ProtectedMode=0

Reference:
http://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html

Comments

Post a Comment

Popular posts from this blog

Drawing textured cube with Vulkan on Android

-
Image
Vulkan is a modern hardware-accelerated Graphics API. Its goal is providing an high efficient way in low-level graphics and compute on modern GPUs for PC, mobile, and embedded devices. I am personally working a self training project, vulkan-android , to teach myself how to use this new APIs. The difference between OpenGL and Vulkan OpenGL: Higher level API in comparison with Vulkan, and the next generation of OpenGL 4 will be Vulkan.   Cross-platform and Cross-language (mostly still based on C/C++, but people implemented diverse versions and expose similar API binding based on OpenGL C++, WebGL is a good example).  Mainly used in 3D graphics and 2D image processing to interact with GPU in order to achieve hardware acceleration. Don't have a command buffer can be manipulated at the application side. That means we will be easily see draw calls being the performance bottleneck in a big and complex 3D scene. Vulkan: Cross-platform and low-overhead. Erase the boundary bet...
Read more

glTF loader for Android Vulkan

-
Image
This post is going to introduce how we integrate with an existing glTF loader library to make it be able to show glTF models in our Vulkan rendering framework,  vulkan-android . tinygltf In the beginning, we don't want to make our new own wheel, so choosing  tinygltf as our glTF loader. tinygltf is a C++11 based library that would help us support all possible cross-platform project easily. tinygltf setup in Android Studio In  vulkan-android  project, we put third party libraries into third_party folder. Therefore, we need to include tinygltf from third_party folder in app/CMakeLists.txt as below. set(THIRD_PARTY_DIR ../../third_party) include_directories(${THIRD_PARTY_DIR}/tinygltf) Model loading from tinygltf We are going to load a gltf ASCII or binary format model from the storage. tinygltf provides two APIs , they are LoadBinaryFromFile() and LoadASCIIFromFile() respectively based on the extension name is *.glb or *.gltf. TinyGLTF loader will return a tiny...
Read more

C++ unit testing & CI integration in GitHub (I/2)

-
Image
I am working on a side project,  Vulkan-Android , that is based on Java, JNI, C++, and Vulkan for Android platform. It also uses my C++ math library. Therefore, the requirement of my build and unit tests are around C++. First of all, I would make sure the unit tests in local are run properly. C++ unit test on Mac OS On Mac OS, I think the most convenient way to do unit testing for C++ is writing XCT in Xcode. In the beginning, we need to create a test plan in Xcode. It will helps us create a schema, then, in the test navigator, create a new Unit Test Target. Due to XCT was originally designed for Objective-C or Swift, if we wanna test our C++ code, we need a workaround by making the file extension name to be *.mm . And then, write down the unit tests as below: #import <XCTest/XCTest.h> #include "Vector3d.h" using namespace gfx_math; @interface testVector3D : XCTestCase @end @implementation testVector3D - (void)setUp { // Put setup code here. This method is cal...
Read more