Security/WebAPI/Web Telephony: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Undo revision 416768 by Ptheriault (talk))
No edit summary
Line 33: Line 33:
===Data Flow Diagram===
===Data Flow Diagram===
TDB
TDB
===Open Questions===
* Do pages have direct access to the audio streams of a phone call? (from the code it seems not?)


===Threat Model===
===Threat Model===


{| border="1" class="fullwidth-table sortable"
{| {{table}}
|ID||Title||Threat||Proposed Mitigations||Threat Agent||Rating||Likelihood||Notes||Impact||Notes
| align="center" style="background:#f0f0f0;"|'''ID'''
| align="center" style="background:#f0f0f0;"|'''Title'''
| align="center" style="background:#f0f0f0;"|'''Threat'''
| align="center" style="background:#f0f0f0;"|'''Proposed Mitigations'''
| align="center" style="background:#f0f0f0;"|'''Threat Agent'''
| align="center" style="background:#f0f0f0;"|'''Rating'''
| align="center" style="background:#f0f0f0;"|'''Likelihood'''
| align="center" style="background:#f0f0f0;"|'''Notes'''
| align="center" style="background:#f0f0f0;"|'''Impact'''
| align="center" style="background:#f0f0f0;"|'''Notes'''
|-
| 1||Unauthorized content accesses the Web Telephony API||A web page or web app accesses the Telephony API with having the valid permissions or requirements ||* App Permissions Model will enforce which apps can access which APIs * B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level)||Malicious web content||?||Requires a bug in broader browser security model||||||\"* Place unauthorized calls, cost the user money, make spam phone calls
|-
| * Use phone a bugging device, breach user privacy
|-
| * probably would have broader implications
|-
|-
|1||Unauthorized content accesses the Web Telephony API||A web page or web app accesses the Telephony API with having the valid permissions or requirements ||\* App Permissions Model will enforce which apps can access which APIs
|  
\* B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level)||Malicious web content||||Requires a bug in broader browser security model||||||\* Place unauthorized calls, cost the user money, make spam phone calls
|-
\* Use phone a bugging device, breach user privacy
| \"
\* probably would have broader implications
 
|-
|-
|2||Attack from radio network||Malicious service provider or attacker with ability to inject radio packets could attack the web telephony stack.||\* Code review
| 2||Attack from radio network||Malicious service provider or attacker with ability to inject radio packets could attack the web telephony stack.||* Code review * Fuzzing||Malicious service provider or attacker with ability to inject radio packets||?||?||?||||
\* Fuzzing
||Malicious service provider or attacker with ability to inject radio packets||||||||||
|-
|-
|3||Bug in Web Telephony stack leads to code execution vulnerability ||A web page could supply malicious data to an API, triggering an exploitable crash.||\* Code review
| ||||||||||||||||||
\* Fuzzing
\* Limiting access to API||Malicious web content||||||||||\*Dangerous since it involves privileged code
|-
|-
|3||Content spoofing phones dialer app||Webpage or app masquerades as the dialer for a complex phishing attack||\*Sort of a broader B2G issue (all apps could be spoofed)
| 3||Bug in Web Telephony stack leads to code execution vulnerability ||A web page could supply malicious data to an API, triggering an exploitable crash.||* Code review* Fuzzing* Limiting access to API||Malicious web content||||||?||||*Dangerous since it involves privileged code
\* Only high-privileged content process will have access to send dialer IPDL messages||Malicious web content||||||||||
|-
|-
|4||Content framing the dialer app||If content could frame the dialer app, or load it in a manner where it was obscured, malicious content might be able to induce the user to make a call.||\* Broader B2G issue
| 3||Content spoofing phones dialer app||Webpage or app masquerades as the dialer for a complex phishing attack||*Sort of a broader B2G issue (all apps could be spoofed)* Only high-privileged content process will have access to send dialer IPDL messages||Malicious web content||||||?||||
\* Only high-privileged content process will have access to send dialer IPDL messages||Malicious web content||||||||||
|-
|-
| 4||Content framing the dialer app||If content could frame the dialer app, or load it in a manner where it was obscured, malicious content might be able to induce the user to make a call.||* Broader B2G issue* Only high-privileged content process will have access to send dialer IPDL messages||Malicious web content||||||||||
|}
|}

Revision as of 21:07, 5 April 2012

Please use "Edit with form" above to edit this page.

Project Info

Web Telephony
Project Page https://wiki.mozilla.org/WebAPI/WebTelephony
Next Milestone Target Milestone: --- → mozilla12
Security Resource Paul Theriault

{{#set:Component=Web Telephony |Project=https://wiki.mozilla.org/WebAPI/WebTelephony |Milestone=Target Milestone: --- → mozilla12 |Resource=Paul Theriault }}

Security Information

Status: OK
Securtiy Approved for Beta Launch?: No
Data Flow Diagram: `
Threat Model: `
Bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
Security Review: `
Final Security Approval: no

{{#set:Sectrackerstatus=OK |Simpyn=No |DFD=` |TM=` |bugs=https://bugzilla.mozilla.org/show_bug.cgi?id=674726 |Secreview=` |SecTrackerFSA=no }}

Background

Goals

  • allow web content to dial out
  • allow content to mediate incoming calls (accept/reject/merge) *allow content to query transceiver state

Bug:

Articles:

Changeset

Source:

Data Flow Diagram

TDB

Open Questions

  • Do pages have direct access to the audio streams of a phone call? (from the code it seems not?)

Threat Model

ID Title Threat Proposed Mitigations Threat Agent Rating Likelihood Notes Impact Notes
1 Unauthorized content accesses the Web Telephony API A web page or web app accesses the Telephony API with having the valid permissions or requirements * App Permissions Model will enforce which apps can access which APIs * B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level) Malicious web content ? Requires a bug in broader browser security model \"* Place unauthorized calls, cost the user money, make spam phone calls
* Use phone a bugging device, breach user privacy
* probably would have broader implications
\"
2 Attack from radio network Malicious service provider or attacker with ability to inject radio packets could attack the web telephony stack. * Code review * Fuzzing Malicious service provider or attacker with ability to inject radio packets ? ? ?
3 Bug in Web Telephony stack leads to code execution vulnerability A web page could supply malicious data to an API, triggering an exploitable crash. * Code review* Fuzzing* Limiting access to API Malicious web content ? *Dangerous since it involves privileged code
3 Content spoofing phones dialer app Webpage or app masquerades as the dialer for a complex phishing attack *Sort of a broader B2G issue (all apps could be spoofed)* Only high-privileged content process will have access to send dialer IPDL messages Malicious web content ?
4 Content framing the dialer app If content could frame the dialer app, or load it in a manner where it was obscured, malicious content might be able to induce the user to make a call. * Broader B2G issue* Only high-privileged content process will have access to send dialer IPDL messages Malicious web content
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/WebAPI/Web_Telephony&oldid=417113"