Security/WebAPI/Web Telephony: Difference between revisions

Revision as of 08:28, 5 April 2012

Please use "Edit with form" above to edit this page.

Project Info

Web Telephony
Project Page	https://wiki.mozilla.org/WebAPI/WebTelephony
Next Milestone	Target Milestone: --- → mozilla12
Security Resource	Paul Theriault

{{#set:Component=Web Telephony |Project=https://wiki.mozilla.org/WebAPI/WebTelephony |Milestone=Target Milestone: --- → mozilla12 |Resource=Paul Theriault }}

Security Information

Status:	OK
Securtiy Approved for Beta Launch?:	No
Data Flow Diagram:	`
Threat Model:	`
Bugs:	https://bugzilla.mozilla.org/show_bug.cgi?id=674726
Security Review:	`
Final Security Approval:	no

{{#set:Sectrackerstatus=OK |Simpyn=No |DFD=` |TM=` |bugs=https://bugzilla.mozilla.org/show_bug.cgi?id=674726 |Secreview=` |SecTrackerFSA=no }}

Background

Goals
- allow web content to dial out
- allow content to mediate incoming calls (accept/reject/merge) *allow content to query transceiver state
Bugs:
- B2G Meta telephony bug https://bugzilla.mozilla.org/show_bug.cgi?id=699235
- Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
Articles:
- WebAPI Intro: http://hacks.mozilla.org/2012/03/webtelephony-api-and-websms-api-part-of-webapi/
- Detailed code walkthrough: https://wiki.mozilla.org/B2G/Architecture#RIL:_Telephony ( some code links of of date, see code links below)
Changeset for parts on M-C
- https://hg.mozilla.org/integration/mozilla-inbound/rev/bac673bc7211
Source:
- http://mxr.mozilla.org/mozilla-central/source/dom/telephony/
- https://github.com/mozilla-b2g/android-hardware-ril/blob/master/include/telephony/

Data Flow Diagram

TDB

Threat Model

ID	Title	Threat	Proposed Mitigations	Threat Agent	Rating	Likelihood	Notes	Impact	Notes
1	Unauthorized content accesses the Web Telephony API	A web page or web app accesses the Telephony API with having the valid permissions or requirements	* App Permissions Model will enforce which apps can access which APIs * B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level)	Malicious web content		Requires a bug in broader browser security model			* Place unauthorized calls, cost the user money, make spam phone calls * Use phone a bugging device, breach user privacy * probably would have broader implications
2	Attack from radio network	Malicious service provider or attacker with ability to inject radio packets could attack the web telephony stack.	* Code review * Fuzzing	Malicious service provider or attacker with ability to inject radio packets
3	Bug in Web Telephony stack leads to code execution vulnerability	A web page could supply malicious data to an API, triggering an exploitable crash.	* Code review * Fuzzing * Limiting access to API	Malicious web content					*Dangerous since it involves privileged code
3	Content spoofing phones dialer app	Webpage or app masquerades as the dialer for a complex phishing attack	Sort of a broader B2G issue (all apps could be spoofed) Only high-privileged content process will have access to send dialer IPDL messages	Malicious web content
4	Content framing the dialer app	If content could frame the dialer app, or load it in a manner where it was obscured, malicious content might be able to induce the user to make a call.	* Broader B2G issue * Only high-privileged content process will have access to send dialer IPDL messages	Malicious web content