• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• Goals - 2 weeks left
• Q2 Goals
• Team
• Bugzilla Security Mail - https://wiki.mozilla.org/Security/Security_Bugs/EncryptedBugmail
• Pwn2Own Update
• Status updates (cutisk)
  • https://wiki.mozilla.org/Security/Radar#Action_Items_from_Security_Review_Meetings (database error? it's a feature)
  • https://wiki.mozilla.org/Security/Radar#Individually_Assigned_Reviews_.2F_tasks
• Static Analysis
  • https://security.etherpad.mozilla.org/Static-Analyzers (add stuff to it)
• Tag Merger update (curtisk)
• SecReview form update

Second half

• [decoder] ASan as a nightly and/or for hardened environments
• B2G permissions model (dchan, want to chat?)

Project Updates Below

B2G

• • Discussions on the Permissions Model ongoing
  • Developer Phone release 4/1/12 [1]
  • Q1 Goals - complete review for developer phone
    • Dependant on B2G hitting this milestone (currently 5/40 features are "done".)
    • https://wiki.mozilla.org/B2G/Schedule_Roadmap
  • Q2 Goals - product phone aiming for release by end of Q2 so:
    • Complete all necessary security reviews
    • Complete documentation of B2G security architecture (is this something we are responsible for? I guess not, but I think we want to be involved)
    • Develop B2G fuzzing platform?

Automation Tools

• • Debate on whether Marionette should land on Gecko between devs and code reviewers in bug 712643.

Fuzzing

• • [gkw, decoder] m-c, IonMonkey fuzzing continuously underway
    • decoder has a lot of asserts, gkw a lot of hard-to-reproduce-by-IM-devs GC bugs, Jesse a lot of general bugs
  • [decoder] Continue mobile fuzzing goal from Q1
    • In Q2: Deploy fuzzers compatible with ADBFuzz developed in Q1 (e.g. jsfunfuzz, domfuzz)
      • Involves getting necessary hardware and process in place
  • Move fuzzers to Releng hardware. jsfunfuzz harness migration underway.
    • Non-mobile hardware already in-place.
    • [gkw] Needed if we are to release funfuzz in April
      • why?
      • I wouldn't want to release old code from literally years ago only to overhaul them as they get released. Makes documentation easier (documenting the new code) as well.
  • I'd like if releng committed to fixing https://bugzilla.mozilla.org/show_bug.cgi?id=628573 ;)
    • They rank it P3.
  • [gkw] Several Valgrind blockers for Mac OS X Snow Leopard & Lion fixed by sewardj
  • [jesse] tweaking jsfunfuzz to find bugs like our pwn2own bug https://bugzilla.mozilla.org/show_bug.cgi?id=720079

ASan

• http://blog.mozilla.com/decoder/2012/01/27/trying-new-code-analysis-techniques/
• http://blog.mozilla.com/decoder/2012/03/09/update-on-address-sanitizer/
• Q2 goal: get builds from RelEng
  • Get regular testing of Firefox setup
  • Integrate with our crash reporting so we can receive ASan crash reports once we decide to have more people testing ASan builds (e.g. a special nightly).
    • This could be great for troubleshooting. "Hitting an intermittent crash? Try an ASan build and see if it becomes a reliable crash."
• ASan builds as a "hardened Firefox" for paranoid users?
  • For what kinds of does ASan really prevent exploitation, as opposed to just requiring attackers to change offsets or do more allocations?
    • Use-after-free as well as stack+heap buffer overruns should be covered
  • How many people are willing to take a 3x slowdown for it?
  • How would this compare to using debug builds with (at least some) assertions fatal?
    • Maybe we should enable the nsTArray and nsPresArena and compartment assertions for these builds, but not all assertions.
  • Target audience size not as big, asan builds likely Linux/Mac-only