Opening arbitrary file in Perfetto UI

108 views
Skip to first unread message

Nowjr

unread,
Jan 12, 2024, 2:11:19 PM1/12/24
to Perfetto Development - www.perfetto.dev
Hi!

I recently came across a trace file that I'm considering opening in Perfetto UI. However, I wanted to get your opinion on its safety before proceeding. Are there any potential risks or malicious elements associated with opening a trace file in Perfetto UI?

Hector Dearman

unread,
Jan 12, 2024, 2:44:12 PM1/12/24
to Nowjr, Perfetto Development - www.perfetto.dev
Hi!

No, there are no particular risks associated with opening a trace file in Perfetto UI beyond
those of using any other website.

Most browsers treat web content as 'untrusted' and restrict the APIs they can use. This, combined with 'sandboxing' (running the JavaScript/wasm in a separate process as done by Chrome and other web browsers) drastically reduces the surface area exploitable by a malicious trace file. Even if there was a bug in our parsers that allowed for arbitrary code execution on load it would have to be chained with sandbox escape to be effect anything outside of the tab - such exploits are rare and valuable and very unlikely to be 'wasted' on Perfetto.

You should be more cautious with trace_processor_shell. While trace_processor_shell is fuzzed and sanitized and there are no known vulnerabilities it has, by its nature as a native program, no sandboxing, more API access, and hence, a wider surface area to attack. Even here I would suggest the risk is very low.

Cheers,
Hector



On Fri, 12 Jan 2024 at 19:11, Nowjr <nowas...@gmail.com> wrote:
Hi!

I recently came across a trace file that I'm considering opening in Perfetto UI. However, I wanted to get your opinion on its safety before proceeding. Are there any potential risks or malicious elements associated with opening a trace file in Perfetto UI?

--
You received this message because you are subscribed to the Google Groups "Perfetto Development - www.perfetto.dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to perfetto-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/perfetto-dev/68284549-68d2-4c86-a2c3-d580b802038cn%40googlegroups.com.


--
-Hector Dearman
Reply all
Reply to author
Forward
0 new messages