Security/WebAPI/Web Telephony: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) No edit summary |
Ptheriault (talk | contribs) No edit summary |
||
| Line 52: | Line 52: | ||
| align="center" style="background:#f0f0f0;"|'''Notes''' | | align="center" style="background:#f0f0f0;"|'''Notes''' | ||
|- | |- | ||
| 1||Unauthorized content accesses the Web Telephony API||A web page or web app accesses the Telephony API with having the valid permissions or requirements ||* App Permissions Model will enforce which apps can access which APIs * B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level)||Malicious web content||?||Requires a bug in broader browser security model|||||| | | 1||Unauthorized content accesses the Web Telephony API||A web page or web app accesses the Telephony API with having the valid permissions or requirements ||* App Permissions Model will enforce which apps can access which APIs * B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level)||Malicious web content||?||Requires a bug in broader browser security model|||||| | ||
* Place unauthorized calls, cost the user money, make spam phone calls | |||
* Use phone a bugging device, breach user privacy | * Use phone a bugging device, breach user privacy | ||
* probably would have broader implications | * probably would have broader implications | ||
| Line 58: | Line 59: | ||
| 2||Attack from radio network||Malicious service provider or attacker with ability to inject radio packets could attack the web telephony stack.||* Code review * Fuzzing||Malicious service provider or attacker with ability to inject radio packets||?||?||?|||| | | 2||Attack from radio network||Malicious service provider or attacker with ability to inject radio packets could attack the web telephony stack.||* Code review * Fuzzing||Malicious service provider or attacker with ability to inject radio packets||?||?||?|||| | ||
|- | |- | ||
| 3||Bug in Web Telephony stack leads to code execution vulnerability ||A web page could supply malicious data to an API, triggering an exploitable crash.||* Code review* Fuzzing* Limiting access to API||Malicious web content||||||?||||*Dangerous since it involves privileged code | | 3||Bug in Web Telephony stack leads to code execution vulnerability ||A web page could supply malicious data to an API, triggering an exploitable crash.||* Code review* Fuzzing* Limiting access to API||Malicious web content||||||?|||| | ||
*Dangerous since it involves privileged code | |||
|- | |- | ||
| 3||Content spoofing phones dialer app||Webpage or app masquerades as the dialer for a complex phishing attack||*Sort of a broader B2G issue (all apps could be spoofed)* Only high-privileged content process will have access to send dialer IPDL messages||Malicious web content||||||?|||| | | 3||Content spoofing phones dialer app||Webpage or app masquerades as the dialer for a complex phishing attack|| | ||
*Sort of a broader B2G issue (all apps could be spoofed)* Only high-privileged content process will have access to send dialer IPDL messages||Malicious web content||||||?|||| | |||
|- | |- | ||
| 4||Content framing the dialer app||If content could frame the dialer app, or load it in a manner where it was obscured, malicious content might be able to induce the user to make a call.||* Broader B2G issue* Only high-privileged content process will have access to send dialer IPDL messages||Malicious web content|||||||||| | | 4||Content framing the dialer app||If content could frame the dialer app, or load it in a manner where it was obscured, malicious content might be able to induce the user to make a call.|| | ||
* Broader B2G issue | |||
* Only high-privileged content process will have access to send dialer IPDL messages||Malicious web content|||||||||| | |||
|} | |} | ||
Revision as of 21:16, 5 April 2012
Please use "Edit with form" above to edit this page.
Project Info
| Web Telephony | |
| Project Page | https://wiki.mozilla.org/WebAPI/WebTelephony |
| Next Milestone | Target Milestone: --- → mozilla12 |
| Security Resource | Paul Theriault |
{{#set:Component=Web Telephony |Project=https://wiki.mozilla.org/WebAPI/WebTelephony |Milestone=Target Milestone: --- → mozilla12 |Resource=Paul Theriault }}
Security Information
| Status: | OK |
| Securtiy Approved for Beta Launch?: | No |
| Data Flow Diagram: | ` |
| Threat Model: | ` |
| Bugs: | https://bugzilla.mozilla.org/show_bug.cgi?id=674726 |
| Security Review: | ` |
| Final Security Approval: | no |
{{#set:Sectrackerstatus=OK |Simpyn=No |DFD=` |TM=` |bugs=https://bugzilla.mozilla.org/show_bug.cgi?id=674726 |Secreview=` |SecTrackerFSA=no }}
Background
Goals
- allow web content to dial out
- allow content to mediate incoming calls (accept/reject/merge)
- allow content to query transceiver state
Bug:
- B2G Meta telephony bug https://bugzilla.mozilla.org/show_bug.cgi?id=699235
- Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
Articles:
- http://hacks.mozilla.org/2012/03/webtelephony-api-and-websms-api-part-of-webapi/
- Detailed code walkthrough for receive call case: https://wiki.mozilla.org/B2G/Architecture#RIL:_Telephony
Changeset
Source:
- http://mxr.mozilla.org/mozilla-central/source/dom/telephony/
- https://github.com/mozilla-b2g/android-hardware-ril/blob/master/include/telephony/ril.h
Data Flow Diagram
TDB
Open Questions
- Do pages have direct access to the audio streams of a phone call? (from the code it seems not?)
Threat Model
| ID | Title | Threat | Proposed Mitigations | Threat Agent | Rating | Likelihood | Notes | Impact | Notes |
| 1 | Unauthorized content accesses the Web Telephony API | A web page or web app accesses the Telephony API with having the valid permissions or requirements | * App Permissions Model will enforce which apps can access which APIs * B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level) | Malicious web content | ? | Requires a bug in broader browser security model |
| ||
| 2 | Attack from radio network | Malicious service provider or attacker with ability to inject radio packets could attack the web telephony stack. | * Code review * Fuzzing | Malicious service provider or attacker with ability to inject radio packets | ? | ? | ? | ||
| 3 | Bug in Web Telephony stack leads to code execution vulnerability | A web page could supply malicious data to an API, triggering an exploitable crash. | * Code review* Fuzzing* Limiting access to API | Malicious web content | ? |
| |||
| 3 | Content spoofing phones dialer app | Webpage or app masquerades as the dialer for a complex phishing attack |
| ||||||
| 4 | Content framing the dialer app | If content could frame the dialer app, or load it in a manner where it was obscured, malicious content might be able to induce the user to make a call. |
|