Behind the Scenes Hardening Firefox with Claude Mythos Preview
Behind the Scenes: Hardening Firefox with Claude Mythos Preview
幕后故事:利用 Claude Mythos Preview 加固 Firefox
Two weeks ago we announced that we had identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models. In this post, we’ll go into more detail about how we approached this work, what we found, and advice for other projects on making good use of emerging capabilities to harden themselves against attack. 两周前,我们宣布在 Claude Mythos Preview 及其他 AI 模型的帮助下,识别并修复了 Firefox 中数量空前的潜在安全漏洞。在本文中,我们将详细介绍我们如何开展这项工作、发现了什么,并为其他项目提供建议,以利用这些新兴能力来加强自身防御,抵御攻击。
Suddenly, the bugs are very good. Just a few months ago, AI-generated security bug reports to open source projects were mostly known for being unwanted slop. Dealing with reports that look plausibly correct but are wrong imposes an asymmetric cost on project maintainers: it’s cheap and easy to prompt an LLM to find a “problem” in code, but slow and expensive to respond to it. It is difficult to overstate how much this dynamic changed for us over a few short months. This was due to a combination of two main factors. First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models — steering them, scaling them, and stacking them to generate large amounts of signal and filter out the noise. 漏洞质量突飞猛进。就在几个月前,AI 生成并提交给开源项目的安全漏洞报告大多被视为无用的垃圾信息。处理那些看起来言之有理实则错误的报告,给项目维护者带来了不对称的成本:提示大语言模型(LLM)去寻找代码中的“问题”既廉价又容易,但响应这些报告却既缓慢又昂贵。在短短几个月内,这种态势发生了翻天覆地的变化,其程度难以言表。这主要归功于两个因素:首先,模型的能力大幅提升;其次,我们改进了驾驭这些模型的技术——通过引导、扩展和堆叠模型,生成了大量有效信号并过滤掉了噪音。
Ordinarily we keep detailed bug reports private for several months after shipping fixes and issuing security advisories, largely as a precaution to protect any users who, for whatever reason, were slow to update to the latest version of Firefox. Given the extraordinary level of interest in this topic and the urgency of action needed throughout the software ecosystem, we’ve made the calculated decision to unhide a small sample of the reports behind the fixes we recently shipped. We’ve attempted to draw them from a range of browser subsystems, but the selection process was still somewhat arbitrary. Nevertheless, we hope that the depth and diversity of these reports lends credence to our assessment of the capabilities and our calls for defenders to begin applying these techniques. 通常情况下,在发布修复程序和安全公告后的几个月内,我们会对详细的漏洞报告保密,这主要是为了保护那些因各种原因未能及时更新到最新版 Firefox 的用户。鉴于各界对此话题的高度关注以及整个软件生态系统采取行动的紧迫性,我们经过慎重考虑,决定公开我们近期修复的一小部分漏洞报告。我们尝试从不同的浏览器子系统中选取样本,尽管选择过程带有一定随机性,但我们希望这些报告的深度和多样性能够证明我们对 AI 能力的评估,并呼吁防御者们开始应用这些技术。
| Bug ID | Description |
|---|---|
| 漏洞编号 | 描述 |
| 2024918 | An incorrect equality check can cause the JIT to optimize away the initialization of a live WebAssembly GC struct, creating a fake-object primitive with potential arbitrary read/write in code that had undergone extensive fuzzing by internal and external researchers. |
| 2024918 | 一个错误的相等性检查可能导致 JIT 优化掉一个活跃的 WebAssembly GC 结构的初始化,从而创建一个伪对象原语,在经过内部和外部研究人员广泛模糊测试的代码中产生潜在的任意读/写漏洞。 |
| 2024437 | A 15-year-old bug in the <legend> element triggered by meticulous orchestration of edge cases across distant parts of the browser, including recursion stack depth limits, expando properties, and cycle collection. |
| 2024437 | <legend> 元素中一个存在了 15 年的漏洞,通过精心编排浏览器不同部分之间的边缘情况(包括递归栈深度限制、扩展属性和循环收集)触发。 |
| 2021894 | Reliably exploits a race condition over IPC, allowing a compromised content process to manipulate IndexedDB refcounts in the parent to trigger a UAF and potential sandbox escape. |
| 2021894 | 可靠地利用 IPC 上的竞态条件,允许受损的内容进程操纵父进程中的 IndexedDB 引用计数,从而触发 UAF(释放后使用)并可能导致沙箱逃逸。 |
| 2022034 | A raw NaN crossing an IPC boundary can masquerade as a tagged JS object pointer, turning double deserialization into a parent-process fake-object primitive for a sandbox escape. |
| 2022034 | 一个跨越 IPC 边界的原始 NaN 可以伪装成带标签的 JS 对象指针,将双重反序列化转化为父进程的伪对象原语,从而实现沙箱逃逸。 |
| 2024653 | An intricate testcase weaving through nested event loops, pagehide listeners, and garbage collection to trigger a UAF in the attribute setter for <object> elements. |
| 2024653 | 一个复杂的测试用例,穿插嵌套事件循环、pagehide 监听器和垃圾回收,在 <object> 元素的属性设置器中触发 UAF。 |
| 2022733 | Triggers a parent UAF by flooding WebTransport with thousands of certificate hashes to stretch a race condition in a refcount-heavy copy loop, and exploits that race condition over IPC from a compromised content process. |
| 2022733 | 通过向 WebTransport 发送数千个证书哈希来触发父进程 UAF,以拉长引用计数密集型复制循环中的竞态条件,并从受损的内容进程通过 IPC 利用该竞态条件。 |
| 2023958 | Simulates a malicious DNS server by intercepting glibc DNS function calls in order to reproduce a UDP->TCP fallback edge case, triggering a buffer over-read and parent-process stack memory leak during HTTPS RR & ECH parsing. |
| 2023958 | 通过拦截 glibc DNS 函数调用来模拟恶意 DNS 服务器,以重现 UDP 到 TCP 的回退边缘情况,在 HTTPS RR 和 ECH 解析期间触发缓冲区过度读取和父进程栈内存泄漏。 |
| 2025977 | 20-year-old XSLT bug in which reentrant key() calls cause a hash table rehash that frees its backing store while a raw entry pointer is still in use (one of several sec-high issues we fixed involving XSLT). |
| 2025977 | 一个存在 20 年的 XSLT 漏洞,其中重入的 key() 调用导致哈希表重新哈希,在原始条目指针仍在使用时释放了其后备存储(这是我们修复的涉及 XSLT 的几个高危安全问题之一)。 |
| 2027298 | Patches the color picker to simulate otherwise non-automatable user selection, then uses a synchronous input event to spin a nested event loop that re-enters actor teardown and frees the callback while it is still unwinding, triggering a content process UAF. |
| 2027298 | 修补颜色选择器以模拟原本无法自动化的用户选择,然后使用同步输入事件启动嵌套事件循环,在回调函数仍在展开时重新进入参与者拆卸并释放回调,从而触发内容进程 UAF。 |
| 2023817 | A compromised content process could send an arbitrary wallpaper image to be decoded in the parent process, which could be paired with a hypothetical vulnerability in an image decoder to escape the sandbox. This entailed difficult-to-automate reasoning about the trust-level of inputs in the parent process. |
| 2023817 | 受损的内容进程可以发送任意壁纸图像到父进程解码,这可能与图像解码器中的假设漏洞相结合以逃逸沙箱。这需要对父进程中输入的信任级别进行难以自动化的推理。 |
| 2029813 | Escapes our in-process sandboxing technology for third-party libraries (RLBox) by leveraging a gap in the verification logic used to copy values from the untrusted to the trusted side of the sandbox boundary. |
| 2029813 | 利用从沙箱边界的不受信任侧向受信任侧复制值时验证逻辑中的漏洞,逃逸了我们针对第三方库的进程内沙箱技术(RLBox)。 |
| 2026305 | Extremely small testcase that exploits the special rowspan=0 semantics in HTML tables by appending >65535 rows to bypass clamping and overflow a 16-bit layout bitfield, which went undetected for years by fuzzers. |
| 2026305 | 一个极小的测试用例,利用 HTML 表格中特殊的 rowspan=0 语义,通过附加超过 65535 行来绕过限制并溢出 16 位布局位域,该漏洞多年来一直未被模糊测试工具发现。 |
Note that a number of these bugs are sandbox escapes, which would need to be combined with other exploits to achieve a full-chain Firefox compromise. These reports presume that the sandboxed process that renders site content has already been compromised with some separate bug, and is now running attacker-controlled machine code attempting to escalate control into the privileged parent process. When crafting a sandbox escape, the model is permitted to patch the Firefox source code, so long as the modified code is restricted to run only in the sandboxed process. Such bugs are notoriously difficult to find with fuzzing, and while we’ve had some success developing new techniques to close this gap, AI analysis provides much more comprehensive coverage of this critical surface. 请注意,其中许多漏洞属于沙箱逃逸,需要与其他漏洞结合才能实现 Firefox 的全链路攻击。这些报告假设渲染站点内容的沙箱进程已经通过其他漏洞被攻破,并且正在运行攻击者控制的机器代码,试图将控制权提升到具有特权的父进程中。在构建沙箱逃逸时,模型被允许修补 Firefox 源代码,前提是修改后的代码仅限于在沙箱进程中运行。此类漏洞以难以通过模糊测试发现而著称,虽然我们在开发新技术以弥补这一差距方面取得了一些成功,但 AI 分析为这一关键领域提供了更全面的覆盖。
Just as interesting as what the models found is what they didn’t find — not because they didn’t try, but because they were unable to circumvent Firefox’s layered defenses. For example, in recent years we received several clever reports from security researchers that managed to escape the process sandbox by triggering prototype pollution in the privileged parent process. Rather than fixing these problems one-by-one, we made an architectural change to freeze these prototypes by default. While auditing logs from the harness, we saw… 模型没发现什么,与它们发现了什么同样有趣——这并非因为它们没有尝试,而是因为它们无法绕过 Firefox 的分层防御。例如,近年来我们收到了一些来自安全研究人员的巧妙报告,他们通过在特权父进程中触发原型污染成功逃逸了进程沙箱。我们没有逐一修复这些问题,而是进行了架构调整,默认冻结了这些原型。在审计测试框架的日志时,我们看到……