SecurityEngineering/Newsletter: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
m (fix broken url)
No edit summary
Line 1: Line 1:
=Firefox Security Team Newsletter Q3 17=


= Firefox Security Team Newsletter Q2 17 =
Firefox Quantum is almost here, and contains several important security improvements. Improved sandboxing, web platform hardening, crypto performance improvements and much more. Read on to find out all the security goodness coming through the Firefox pipeline.
Firefox 55 is out the door, so there’s time now to put together our quarterly newsletter. In addition to the [https://developer.mozilla.org/en-US/Firefox/Releases/55#Security security changes] which hit release last week, there has been a number of important security improvements land over the last quarter:
 
* We’ve made significant improvement of our security sandbox, with file system restrictions shipping for Windows and macOS on beta (Firefox 56) and Linux on nightly (Firefox 57)
<ul>
* Firefox 56 has a significant speedup for the most common cryptographic algorithm used in secure websites, [https://www.franziskuskiefer.de/web/improving-aes-gcm-performance-in-nss/ AES-GCM] (an official Mozilla blog post still to come).
<li><p>Sandbox work is seeing great progress. As of 57, Windows, Mac OS X, and Linux all have file system access restricted by the sandbox which is a major milestone reached. Further [https://wiki.mozilla.org/Security/Sandbox ''restrictions''] are enabled for Windows in Firefox 58.</p></li>
* We have continued the Tor Uplift work and entered the second phase to implement [[Security/Fingerprinting|browser fingerprinting resistance]] starting from Firefox 55.
<li><p>Firefox 57 treats now data URLs as unique origins, reducing the risk of Cross-Site Scripting (XSS).</p></li>
Read on for more highlights of the important work the Firefox security team is doing to keep our users safe online.
<li><p>The Firefox Multi-Account Containers Add-on [https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/ ''shipped''], allowing users to juggle multiple identities in a single browsing session.</p></li>
<li><p>Increased [https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/ ''AES-GCM performance''] in Firefox 56, and support for [https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/ ''Curve25519 in Firefox 57''] (the first [https://en.wikipedia.org/wiki/Formal_verification ''formally verified''] cryptographic algorithm in a web browser)</p></li>
<li><p>Experimental support for anti-phishing FIDO U2F “Security Key” USB devices [https://mobile.twitter.com/jamespugjones/status/912314952232267777 ''landed behind a preference''] in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a wider market.</p></li>
<li><p>The privacy WebExtension API can now be used to control the [https://bugzilla.mozilla.org/show_bug.cgi?id=1397611 '' privacy.resistFingerprinting ''] and [https://bugzilla.mozilla.org/show_bug.cgi?id=1409045 ''first party isolation''] experimental privacy features </p></li></ul>


= Team Highlights =
= Team Highlights =
Line 12: Line 16:


=== Crypto Engineering ===
=== Crypto Engineering ===
* Firefox 56 has a significant speedup for the most common cryptographic algorithm used in secure websites, [https://www.franziskuskiefer.de/web/improving-aes-gcm-performance-in-nss/ AES-GCM] (an official Mozilla blog post still to come).
 
* A regression from e10s where CORS error messages weren’t logged properly in the console is fixed in Firefox 56.
<ul>
<li><p>AES-GCM performance is increased across the board, making large transfers more efficient in Firefox 56. [https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/ ''[blog post]'']</p></li>
<li><p>Our implementation of Curve25519 in Firefox 57 is the first [https://en.wikipedia.org/wiki/Formal_verification ''formally verified''] cryptographic algorithm in a web browser. [https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/ ''[blog post]'']</p></li>
<li><p>Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a [https://twitter.com/jamespugjones/status/912314952232267777 wider market].</p></li></ul>


=== Privacy and Content Security ===
=== Privacy and Content Security ===
* We have continued the Tor Uplift work and entered the second phase to implement browser fingerprinting resistance starting from Firefox 55.
<ul>
** Landed [[Security/Fingerprinting|18 bugs]] for anti-fingerprinting in Firefox 55 and 56.
<li><p>The privacy WebExtension API can now be used to [https://bugzilla.mozilla.org/show_bug.cgi?id=1397611 ''control the privacy.resistFingerprinting preference''] and [https://bugzilla.mozilla.org/show_bug.cgi?id=1409045 ''first party isolation'']</p></li>
* Converted hundreds of test cases to obey the origin inheritance behavior for data: URIs in support of an [https://github.com/whatwg/html/issues/1753 important spec change]. Intent to ship in Firefox 57.
<li><p>Containers launched as an extension available from [https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/ ''AMO''] (2 [https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/ ''blog''] [https://blog.mozilla.org/tanvi/2017/10/03/update-firefox-containers/ ''posts''])</p></li>
* Made significant performance improvement on security components in support of Quantum Flow project.
<li><p>Containers have had a few improvements for web extensions [https://hacks.mozilla.org/2017/10/containers-for-add-on-developers/ ''web extensions'']:</p>
<ul>
<li><p>Containers now enabled when installing a contextual identity extension</p></li>
<li><p>Events to monitor container changes</p></li>
<li><p>Ability to get icon urls for containers along with hex colour codes</p></li>
<li><p>Cleaner APIs</p></li></ul>
</li>
<li><p>Lightbeam was remade as a  [https://hacks.mozilla.org/2017/10/remaking-lightbeam-as-a-browser-extension/ ''web extension.'']</p></li>
<li><p>Firefox 57 treats data URLs as unique origins [[https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57/ ''unique origins'']] which mitigates the risk of XSS, make Firefox standard-compliant and consistent with the behavior of other browsers.</p></li>
<li><p>Shipped version 4 of the Safe Browsing protocol.</p></li></ul>
 
=== Firefox and Tor Integration ===
 
<ul>
<li><p>Continue the Tor patch uplift work focusing on [https://wiki.mozilla.org/Security/Fingerprinting ''browser fingerprinting resistance'']</p>
<ul>
<li><p>Landed 12 more anti-fingerprinting patches in 57</p></li></ul>
</li>
<li><p>The MinGW build has landed in mozilla-central and is available in treeherder</p></li></ul>


=== Content Isolation ===
=== Content Isolation ===
* Shipping file system user token restriction for Windows content in 56
 
* Shipping 3rd party legacy extension blocking for Windows content in 56
<ul>
* Shipping file system read access restrictions for OSX content in 56
<li><p>Various Windows content process security features enabled over the quarter including [https://bugzilla.mozilla.org/show_bug.cgi?id=1381326 ''disabling of legacy extension points''] (56), [https://bugzilla.mozilla.org/show_bug.cgi?id=1314801 ''image load policy improvements''] (57), [https://bugzilla.mozilla.org/show_bug.cgi?id=1403707 ''increased restrictions''] on job objects (58), and finally we've enabled the [https://bugzilla.mozilla.org/show_bug.cgi?id=1229829 ''alternate desktop feature''] in Nightly after battling various problems with anti-virus software interfering with child process startup.</p></li>
* Linux content sandboxing (“level 2”: write restrictions, some syscalls, probably escapable) released in 54. Work to enable read restrictions (enabled at time of writing in Nightly 56 targeting 57 rollout) also completed.
<li><p>The [https://bugzilla.mozilla.org/show_bug.cgi?id=1308400 ''new 'default deny' read access policy''] for the [https://bugzilla.mozilla.org/show_bug.cgi?id=1308400 ''Linux file access broker''] is now enabled by default for content processes and is rolling out in Firefox 57. The broker forwards content process file access requests to the parent process for approval, severely restricting what a compromised content process could do within the local file system.</p></li>
<li><p>Numerous access rules associated with file system, operating system services, and device access have been removed from the OSX content process sandbox. In terms of file system access, we've reached parity with Chrome's renderer. Remaining print server access will be removed in Q4, removal of graphics and audio access is currently in planning.</p></li>
<li><p>We continue to invest in cleaning up various areas of the code that have accumulated technical debt.</p></li>
<li><p>We’ve completed our research on the scope of enabling the [https://msdn.microsoft.com/en-us/library/windows/desktop/hh871472(v=vs.85).aspx ''Win32k System Call Disable Policy''] feature. This feature will isolate content processes from a large class of Win32k kernel APIs commonly used to gain sandbox escape and privilege escalation. Planning for this [https://bugzilla.mozilla.org/show_bug.cgi?id=1381019 ''long term project''] is currently underway with work expected to commence in Q4.</p></li>
<li><p>As a result of the stability and process startup problems encountered due to 3rd party code injection, a new internal initiative has formed to better address problems associated with unstable software injected into Firefox. This cross-team group will explore and improve policy revolving around outreach and blocking, data collection and research, and improved injection mitigation techniques within Firefox.</p></li></ul>


== Operations Security ==
== Operations Security ==
* The security audit of Firefox Accounts performed by Cure53 last year was [https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/ publicly released].
 
* We completed the implementation of [https://zaproxy.blogspot.co.uk/2017/06/scanning-apis-with-zap.html API Scanning with ZAP], to automate vulnerability scanning of our services by leveraging OpenAPI definitions.
<ul>
* The signing of add-ons has been ported to the [https://github.com/mozilla-services/autograph Autograph] service, where support for SHA-256 PKCS7 signatures will be added.
<li><p>addons.mozilla.org and Firefox Screenshots went through external security audits. The reports will be released soon.</p></li>
* TLS Observatory accelerated the loading of CT logs, with currently ~70M certificates recorded. It should reach 200M in Q3.
<li><p>Internal audits of Crash Reports and Phabricator were completed and have found no maximum or high risk issues.</p></li>
<li><p>addons.mozilla.org, Crash Reports, Telemetry, Pontoon, Push and Tracking Protection backends have been connected to pyup.io to track vulnerabilities in upstream Python dependencies.</p></li>
<li><p>Verification of the signature of installer and update files has been integrated to the product delivery pipeline, to prevent an attacker from feeding an improperly signed file to our download sites.</p></li></ul>


== Security Assurance ==
== Security Assurance ==
* New team created to focus on Firefox security assurance
 
* Working on adding security checks to our build tools to help our developer avoid landing security bugs. First outcome of this project was landing an [https://github.com/mozilla/eslint-plugin-no-unsanitized ESLint plugin] to prevent the unsafe usage of eval, innerHTML etc. in Firefox.
<ul>
<li><p>Developed new static analysis tool to detect sandbox-related flaws in IPDL endpoints.</p></li>
<li><p>Established mobile security review process to cover projects coming through New Mobile Experience pipeline.</p></li>
<li><p>[https://bugzilla.mozilla.org/show_bug.cgi?id=1394433 ''Identified a number of warnings''] by building for Windows with gcc, and resolved many of them.</p></li></ul>


== Cross-Team Initiatives ==
== Cross-Team Initiatives ==
* The TLS Canary project has seen the feature [https://github.com/mozilla/tls-canary/releases/tag/v3.1.0 release 3.1]. NSS team is working on treeherder integration.
* [http://ccadb.org/ Common CA Database (CCADB)] access has been granted to the rest of the CAs in Microsoft’s root store (those that are also in Mozilla’s root store already had CA Community licenses/access).


= Security Blog Posts & Presentations =
<ul>
* https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/ (Kathleen)
<li><p>Google has become an official [http://ccadb.org/rootstores/how ''Root Store Member''] of the [http://ccadb.org/ ''Common CA Database (CCADB)''].</p></li></ul>
* https://blog.mozilla.org/security/2017/05/11/relaunching-web-bug-bounty-program/ (April from Enterprise Infosec)
* https://blog.mozilla.org/security/2017/06/28/analysis-alexa-top-1m-sites/ (April from Enterprise Infosec)
* https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/ (Greg from Services Security)
* Francois Marier gave a talk on [https://www.linuxfestnorthwest.org/2017/sessions/security-and-privacy-settings-firefox-power-users security and privacy settings] for Firefox power users at LinuxFest Northwest.


= Security Blog Posts &amp; Presentations =


----
<ul>
'''Previous Editions'''  
<li><p>[https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/ ''https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/'']</p></li>
* [[SecurityEngineering/Newsletter/2016Q4|2016 4th Quarter]]
<li><p>[https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/ ''https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/'']</p></li>
* [[SecurityEngineering/Newsletter/2017Q1|2017 1st Quarter]]
<li><p>[https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/ ''https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/'']</p></li>
<li><p>[https://hacks.mozilla.org/2017/10/remaking-lightbeam-as-a-browser-extension/ ''https://hacks.mozilla.org/2017/10/remaking-lightbeam-as-a-browser-extension/'']</p></li>
<li><p>[https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57/ ''https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57/'']</p></li></ul>

Revision as of 11:50, 2 November 2017

Firefox Security Team Newsletter Q3 17

Firefox Quantum is almost here, and contains several important security improvements. Improved sandboxing, web platform hardening, crypto performance improvements and much more. Read on to find out all the security goodness coming through the Firefox pipeline.

  • Sandbox work is seeing great progress. As of 57, Windows, Mac OS X, and Linux all have file system access restricted by the sandbox which is a major milestone reached. Further restrictions are enabled for Windows in Firefox 58.

  • Firefox 57 treats now data URLs as unique origins, reducing the risk of Cross-Site Scripting (XSS).

  • The Firefox Multi-Account Containers Add-on shipped, allowing users to juggle multiple identities in a single browsing session.

  • Increased AES-GCM performance in Firefox 56, and support for Curve25519 in Firefox 57 (the first formally verified cryptographic algorithm in a web browser)

  • Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a wider market.

  • The privacy WebExtension API can now be used to control the privacy.resistFingerprinting and first party isolation experimental privacy features

Team Highlights

Security Engineering

Crypto Engineering

  • AES-GCM performance is increased across the board, making large transfers more efficient in Firefox 56. [blog post]

  • Our implementation of Curve25519 in Firefox 57 is the first formally verified cryptographic algorithm in a web browser. [blog post]

  • Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a wider market.

Privacy and Content Security

  • The privacy WebExtension API can now be used to control the privacy.resistFingerprinting preference and first party isolation

  • Containers launched as an extension available from AMO (2 blog posts)

  • Containers have had a few improvements for web extensions web extensions:

    • Containers now enabled when installing a contextual identity extension

    • Events to monitor container changes

    • Ability to get icon urls for containers along with hex colour codes

    • Cleaner APIs

  • Lightbeam was remade as a web extension.

  • Firefox 57 treats data URLs as unique origins [unique origins] which mitigates the risk of XSS, make Firefox standard-compliant and consistent with the behavior of other browsers.

  • Shipped version 4 of the Safe Browsing protocol.

Firefox and Tor Integration

  • Continue the Tor patch uplift work focusing on browser fingerprinting resistance

    • Landed 12 more anti-fingerprinting patches in 57

  • The MinGW build has landed in mozilla-central and is available in treeherder

Content Isolation

  • Various Windows content process security features enabled over the quarter including disabling of legacy extension points (56), image load policy improvements (57), increased restrictions on job objects (58), and finally we've enabled the alternate desktop feature in Nightly after battling various problems with anti-virus software interfering with child process startup.

  • The new 'default deny' read access policy for the Linux file access broker is now enabled by default for content processes and is rolling out in Firefox 57. The broker forwards content process file access requests to the parent process for approval, severely restricting what a compromised content process could do within the local file system.

  • Numerous access rules associated with file system, operating system services, and device access have been removed from the OSX content process sandbox. In terms of file system access, we've reached parity with Chrome's renderer. Remaining print server access will be removed in Q4, removal of graphics and audio access is currently in planning.

  • We continue to invest in cleaning up various areas of the code that have accumulated technical debt.

  • We’ve completed our research on the scope of enabling the Win32k System Call Disable Policy feature. This feature will isolate content processes from a large class of Win32k kernel APIs commonly used to gain sandbox escape and privilege escalation. Planning for this long term project is currently underway with work expected to commence in Q4.

  • As a result of the stability and process startup problems encountered due to 3rd party code injection, a new internal initiative has formed to better address problems associated with unstable software injected into Firefox. This cross-team group will explore and improve policy revolving around outreach and blocking, data collection and research, and improved injection mitigation techniques within Firefox.

Operations Security

  • addons.mozilla.org and Firefox Screenshots went through external security audits. The reports will be released soon.

  • Internal audits of Crash Reports and Phabricator were completed and have found no maximum or high risk issues.

  • addons.mozilla.org, Crash Reports, Telemetry, Pontoon, Push and Tracking Protection backends have been connected to pyup.io to track vulnerabilities in upstream Python dependencies.

  • Verification of the signature of installer and update files has been integrated to the product delivery pipeline, to prevent an attacker from feeding an improperly signed file to our download sites.

Security Assurance

  • Developed new static analysis tool to detect sandbox-related flaws in IPDL endpoints.

  • Established mobile security review process to cover projects coming through New Mobile Experience pipeline.

  • Identified a number of warnings by building for Windows with gcc, and resolved many of them.

Cross-Team Initiatives

Security Blog Posts & Presentations

Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/Newsletter&oldid=1183339"