diff options
Diffstat (limited to 'toolkit/components/fuzzyfox/Fuzzyfox.h')
| -rw-r--r-- | toolkit/components/fuzzyfox/Fuzzyfox.h | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/toolkit/components/fuzzyfox/Fuzzyfox.h b/toolkit/components/fuzzyfox/Fuzzyfox.h new file mode 100644 index 0000000000..9c2919e861 --- /dev/null +++ b/toolkit/components/fuzzyfox/Fuzzyfox.h @@ -0,0 +1,123 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_Fuzzyfox_h +#define mozilla_Fuzzyfox_h + +#include "nsIObserver.h" +#include "nsIObserverService.h" +#include "nsISupportsPrimitives.h" +#include "nsThreadUtils.h" +#include "mozilla/TimeStamp.h" + +/* + * This topic publishes the new canonical time according to Fuzzyfox, + * in microseconds since the epoch. If code needs to know the current time, + * it should listen for this topic and keep track of the 'current' time, + * so as to respect Fuzzyfox and be in sync with the rest of the browser's + * timekeeping. + */ +#define FUZZYFOX_UPDATECLOCK_OBSERVER_TOPIC "fuzzyfox-update-clocks" + +/* + * For Fuzzyfox's security guarentees to hold, the browser must not execute + * actions while it should be paused. We currently only pause the main thread, + * so actions that occur on other threads should be queued until the browser + * unpaused (and moreso than unpauses: until it reaches a downtick.) + * This topic indicates when any queued outbound events should be delivered. + * TODO: Bug 1484300 and 1484299 would apply this to other communication + * channels + */ +#define FUZZYFOX_FIREOUTBOUND_OBSERVER_TOPIC "fuzzyfox-fire-outbound" + +namespace mozilla { + +/* + * Fuzzyfox is an implementation of the Fermata concept presented in + * Trusted Browsers for Uncertain Times. + * + * Web Browsers expose explicit (performance.now()) and implicit + * (WebVTT, Video Frames) timers that, when combined with algorithmic + * improvements such as edge thresholding, produce extremely high + * resolution clocks. + * + * High Resolution clocks can be used to time network accesses, browser + * cache reads, web page rendering, access to the CPU cache, and other + * operations - and the time these operations take to perform can yield + * detailed information about user information we want to keep private. + * + * Fuzzyfox limits the information disclosure by limiting an attacker's + * ability to create a high resolution clock. It does this by introducing + * a concept called 'fuzzy time' that degrades all clocks (explicit and + * implicit). This is done through a combination of holding time constant + * during program execution and pausing program execution. + * + * @InProceedings{KS16, + * author = {David Kohlbrenner and Hovav Shacham}, + * title = {Trusted Browsers for Uncertain Times}, + * booktitle = {Proceedings of USENIX Security 2016}, + * pages = {463-80}, + * year = 2016, + * editor = {Thorsten Holz and Stefan Savage}, + * month = aug, + * organization = {USENIX} + * } + * https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_kohlbrenner.pdf + * + * Fuzzyfox is an adaptation of + * W.-M. Hu, “Reducing timing channels with fuzzy time,” in + * Proceedings of IEEE Security and Privacy (“Oakland”) + * 1991, T. F. Lunt and J. McLean, Eds. IEEE Computer + * Society, May 1991, pp. 8–20. + */ +class Fuzzyfox final : public Runnable, public nsIObserver { + public: + NS_DECL_ISUPPORTS_INHERITED + NS_DECL_NSIOBSERVER + + static void Start(); + + NS_IMETHOD + Run() override; + + private: + Fuzzyfox(); + ~Fuzzyfox(); + + uint64_t ActualTime(); + + uint64_t PickDuration(); + + void UpdateClocks(uint64_t aNewTime, TimeStamp aNewTimeStamp); + + uint64_t FloorToGrain(uint64_t aValue); + + TimeStamp FloorToGrain(TimeStamp aValue); + + uint64_t CeilToGrain(uint64_t aValue); + + TimeStamp CeilToGrain(TimeStamp aValue); + + bool mSanityCheck; + uint64_t mStartTime; + uint32_t mDuration; + + enum Tick { + eUptick, + eDowntick, + }; + + Tick mTickType; + + nsCOMPtr<nsIObserverService> mObs = nullptr; + nsCOMPtr<nsISupportsPRInt64> mTimeUpdateWrapper = nullptr; + + static Atomic<bool, Relaxed> sFuzzyfoxEnabledPrefMapped; +}; + +} // namespace mozilla + +#endif /* mozilla_Fuzzyfox_h */ |