Security/B2G/2014 04 16

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room Prior notes are here:

Previous Action Items

key security reviews

    identify scope for each of them [everyone] 

Agenda Items

   lets talk about open() on b2g sandcomp (if arroway is around or others are interested)
   IPC improvements (?)
   binder (?)
   check what chromium's lib really does
   use mprotect blacklisting as last resort (?) <- it adds around 10 BFF rules :/

Google doc for collating scope notes

Status Updates


   working with Richard Bloor to integrate review docs in devs sections
   started Firefox Accounts review, approaching mhammond for coordination
   dchan, ulfr on the SA side
   packet capturing for FxOS Ping doc


   outreach to dev-platform about the inline-HTML/CSP thing
   Sub Resource Integrity to “First Public Working Draft”
   good feedback, problems on wording. next iteration
   JSHint (linter for gaia)
   result: not useful to improve gaia security
   looked at bug 994337, tried cross origin leaks (failed \o/)
   Next up: Loop review, "tokfox" demo app for fxos


   Sandboxing: patch to filter calls to open in libgenlock + some blacklisting for mproctect()
   FxOS pings
   proxy \o/
   NFC review
   looked at at bug 963137


  • away


* HITB is happening
* Updated our wiki, goals feedback from andreas
* Leadership summit next month
* Work week ? June 8th?


New Action Items

Goal Status Updates

Other stuff