Security/Meetings/2011-09-28

What can QA do for security

• Al Billings from QA joins the security team meeting today.
• Discussed whether QA team should have people using Peach or LangFuzz to attack libraries used by Firefox.
• QA could teach sec team how to make reusable testcases as part of pentesting.
• Invite QA people to security reviews, at least on the features where QA isn't spread too thin

Continuation of Non-Feature Discussion

• "Prioritization of non-features" and "aspect teams driving work in dev teams" are common concerns between security and QA (along with accessibility, stability, support, memshrink, etc)
• Set metrics
  • "Define what a 'quality product' is."
  • i.e. no shipping SG:<level> bugs older than some <date>
• Who should own this overall problem? Sheila? QA?
• We hope to separate aspect-based prioritization (aspect teams) from overall prioritization and driving of fixes (program management) and doing (engineering)
• How does QA team currently drive bugs they feel are important? Advocate in triage meetings (which no longer cover trunk), bugging developers individually.

Q3 Goals update

From https://intranet.mozilla.org/2011Q3Goals#Security

• [DONE] JS root cause analysis, to identify common patterns in JavaScript security bugs
  • http://www.squarefree.com/2011/09/01/lessons-from-js-engine-bugs/
• [MISSED] Land XSS filter on Aurora
  • https://bugzilla.mozilla.org/show_bug.cgi?id=528661
  • Waiting on mrbkap for review
• [DONE] Support Android as a top-tier supported platform alongside Windows, Mac, and Linux (team embedding and ARM fuzzing)
  • Team embedding
    • [imelven] Attending mobile (and pancake) meetings, tracking and discussing mobile bugs with team members, starting to work on mobile private browsing
  • Fuzzing Fennec/e10s
    • [imelven,jesse] DOM fuzzer is now mostly working with Fennec on Linux.
  • Fuzzing ARM-specific code
    • [imelven] Codecs: imelven wrote a small web server-like fuzzer for ogg theora and ogg vorbis, including fixing up the ogg checksum for an ogg page after mutating the content on that page. ran ~20k theora test cases and ~60k vorbis test cases - no crashes found! (Theora has ARM specific portions, and vorbis uses a different lib in Fennec than in desktop Firefox.)
    • [decoder,bsterne,dchan] JS engine: LangFuzz browser client mostly working locally, requires some additional work. Mobile part (remote fuzzing) requires additional work (adb support in LangFuzz).

Other major activities: land portion of DNSSEC on nightly, embed secteam members into high-profile teams, flesh out security roadmap, revise and socialize e10s sandbox threat model, security reviews for FF6 and FF7

Q4 Goals planning /Radar

• https://intranet.mozilla.org/2011Q4Goals#Security
  • Fuzzing ARM/Mobile
    • [decoder] Fuzz JavaScript for ARM-specific code (e.g. JIT) on Linux (Tegra) with LangFuzz
    • [decoder,bsterne,dchan] Fuzz browser (mostly JavaScript) on Android with LangFuzz
• Homework: come to next week's meeting with ideas

Mobile etc Update (imelven)

• flash frontend did not make FF9 cutover
• web api security model is slowly coming together, still very much a work in progress, proposals will be coming to mailing lists etc at some point
  • camera for Android has landed, imelven is going to talk to fabrice today
  • the API for web apps for Fennec have landed, see https://developer.mozilla.org/en/OpenWebApps/The_JavaScript_API, imelven will talk to fabrice today to see if the API landed as previously discussed
• nsContentPolicy experts may want to (should) look at https://bugzilla.mozilla.org/show_bug.cgi?id=674651 "nsContentPolicy should skip resource and chrome schemes" - imelven is tracking this bug

Fuzz week recap

• Last week Brandon's team visited Santa Cruz
• https://intranet.mozilla.org/Security/Research_and_Testing/2011_Fuzzing_Work_Week

Coverage for Curtis Thur/Fri

• Need someone to facilitate reviews on Thurs
  • Curtis at Louisville InfoSec conference
• Friday-Sunday Curtis at DerbyCon
• [dchan] volunteered

Malware Crash Correlation Update (decoder)

• Identifies crash reports that contain URLs known to host malware. These crashes might be attempted exploits.
• Proof-of-Concept UI online on cm-fs01 (internally in MPT)
• To be filled with data soon (will be automated)
• Internal link + description will be sent to secteam and some other people (e.g. crashkill) for feedback
• Privacy questions. Some URLs in crash reports are more specific than the URLs in the malware database.
• Lucas suggests UA spoofing to make the exploits more likely to fail-and-crash
  • [decoder] will forward this suggestion to bclary

Blocking Java

• Please
• see bug https://bugzilla.mozilla.org/show_bug.cgi?id=689661
• click to play does not fully mitigate threat (see bug)
• domain whitelisting does not fully mitigate threat (see bug)
• domain whitelisting + click to play somewhat mitigates threat, but not fully (see bug)
• Product team talked about blocking Java in yesterday's meeting
• Blog post http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ describes how to block Java plugin as a user
• bsmith in contact with Oracle