Security/Meetings/2012-01-11

From MozillaWiki
Jump to: navigation, search

Q1 Goals

See last week's meeting notes ( https://wiki.mozilla.org/Security/Meetings/2012-01-04#Goals ). No changes.

Comms (curtisk)

Blog

Contributor; Week Of; Topic
curtisk 9-Jan-2012
decoder 23-Jan-2012
sid 6-Feb-2012

BrownBag

  • Jan: -gkw - Fuzzing @ Mozilla 30-Jan 1PM
  • Feb- Imelven
    • ideas??

Lightning talk

Contributor; Month Of; Topic
dveditz Jan
Sid Feb

Possible Blog topics

  • ideas for curtisk
    • cont. evolution of sec review (new wikimedia review form, action item tracking, use of vidyo)
    • introduction posts, who we are, what we do, what we hope to accomplish
  • decoder
    • Blog post about ASan and Clang Static Analysis (coming soon)
      • One blog post or two? (I think it should be two posts.)
        • I thought about one post with a subject like "New testing methods with Clang" and both subjects don't have that much to write so I thought combining might make sense (one dynamic and one static method with Clang).
      • Can we provide "unofficial" ASan builds? (I have a build setup now that creates ASan'ified Firefox builds from m-c). People might be willing to give it a try if they don't have to build with ASan themselves.
        • How much of those instructions could you put into a script, which anyone could trust, run on their own machines, and get an up-to-date build?
          • Building itself is not the only problem, getting the toolchain is also something that needs work (get Clang, compiler-rt, compile all that, etc).
  • ideas for external speakers?

Recently Completed SecReviews

Conferences

  • https://wiki.mozilla.org/Security/Conferences
  • Better Internet Summit - Tues Jan 17th 6-9pm - Tanvi, Sid Waitlisted
  • Fosdem
  • CSW - Mar 7-9 Vancouver - No speaker list yet. Interested - Al, Gary, Ian, Tanvi,  ?
  • RSA - Feb 27-Mar 2 (Sid)

College Recruiting events

  • There are 5 schools on the list
  • End-Jan, early-Feb, mid-Mar

Workweeks

  • webapps @ Domain Hotel in MV (Jan 10 - 12)
  • services @ Monterey (Jan 17 - 20)
    • In MV on 17 / 20th
  • devtools @ London Mar 19-23
  • automation tools @ SF April 16-20

Click-to-play plugins update (keeler)

  • Try builds: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dkeeler@mozilla.com-18015545af29/
  • UX still says it should be left-click to activate (with no menu), and 3 plays of a plugin on a site whitelists that plugin on that site (which is not how I've currently implemented it)
  • Security input?
    • Uhh left-click to activate means there's no security, pretty much. Who is saying that?
  • Also I have to leave at 10:45 today (and all Wednesdays, really)
  • Ok - next week. Sounds good.

Rust update (Jesse)

  • Rust meetings are Tue at 9.
  • Fuzzer resurrected; found another 10 bugs
    • Does it make sense to work on a grammar for LangFuzz?
      • The existing fuzzer uses a strategy similar to LangFuzz: replace an expr with another expr from the same AST. But modifying the AST directly requires code for each bit of grammar, so currently it only mixes the "expr" and "ty" AST nodes.
      • Beware the typechecker; the ever-changing Rust grammar; slow compile times; and the danger of running untrusted unsandboxed code with access to the filesystem.
      • You can use "rustc --pretty identified" to have rustc show you the AST. Might be easier than maintaining an external grammar.
  • Rust 0.1 will be released next week
  • Rust work week next month, possibly in Germany
    • Are you going to visit us? :D
  • Niko's blog is a good way to see some bits of semantics that are up in the air, e.g.

Fuzzing infrastructure

  • Al proposes to rack up machines
  • gkw has spent most of the past week(& end) refactoring scripts to be more resistant to system freezes and be able to resume from any directory without overwriting or deleting pre-freeze directories
    • Now has Windows 7 & Ubuntu Linux running *natively* on some 2011 Mac Minis
      • Windows has a majority of our users
      • Linux is essential for asan

Meeting time change?