Security/Meetings/2011-12-21

Clang Static Analysis (decoder)

Gregory Szorc (:gps) did some great work in figuring out the required steps for applying the analysis to mozilla-central
Results are at http://people.mozilla.org/~gszorc/clang/2011-12-15-13/
If you want to help digging through the results and filing bugs for code reviews and possible code adjustments, ping me.

If you want to try Firefox+ASan in an optimized build, I made some builds for Linux, available at http://langfuzz2.mv.mozilla.com/20111218-5c8405e6226e/
- You almost don't notice it's slower.

Develop prototype for automation and scalability of ARM and mobile fuzzing
- Some of our machines under upgrading
- Certain releng machines are only running DOM fuzzer now, should get jsfunfuzz / LangFuzz running too
What needs testing on mobile?
- https://etherpad.mozilla.org/mobile-security-testing is my list. Brandon said he has a "master plan", but I don't know anything about it yet.
- Mobile UI fuzzer idea is floating in the air, gkw is embedding into ateam meetings to find out how this might turn out
  - I [decoder] can probably give hints about the crash triage automation etc. on Android because LangFuzz has that builtin already.
    - ateam might have some APIs we can use
sync auth
Get stats on features we want to end-of-life (enablePrivilege, etc)
- commoncrawl.org might help, for public web anyway (enablePrivilege tends to be used on intranets, not public)
  - It could be replaced by an addon
Security Questionnaire
- Proof of concept implementation
- Evaluation with previous security review participants
- Overall improvements and decision if this is helpful and should be adopted into the process, or not
Plugin experience - drive update, click to play

Goal Priorities