Security/Meetings/SecurityAssurance/2012-02-21

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#


Project Updates

https://wiki.mozilla.org/Security/TeamEmbedding Include any project page links Mention blockers or major concern areas

Silent updates (rforbes / dveditz)

  • Ian's concern: fallback to an updater that doesn't check signature, and an attacker can invite you to fall back
    • Jesse: this is an old problem, right? I wouldn't want to block silent updates on this.
  • Need embedded team member on update, because
    • Raymond & Dan???
    • [Bug 728301] New: Enable new security checks only for the service

Q1 Goals

Code signing

  • Coates: HSMs; improved logs for auditability(?)
  • Jesse: Are we signing Firefox the way Apple wants us to for Mountain Lion's Gatekeeper? It's pretty important to get this by the time Mountain Lion ships :)

B2G (Paul Theriault)

  • Reviewing security model at the moment (or trying to document their approach)
  • Compare with web apps approach
  • The requirements of B2G seem different to what the Web Apps is developing - need to figure out where these two activities meet
  • Working on carving out pieces for security review

Thunderbird (Dan Veditz)

Rust (Jesse Ruderman)

  • I raised concerns about unsafe blocks being less safe than C due to mixing Rust's failure/unwind/memory model with C concepts. https://github.com/mozilla/rust/wiki/Meeting-weekly-2012-02-21
  • Servo seems to be interested in parallelism only; security isn't really on their minds. I guess that's part of why they're planning to use the C++ Spidermonkey rather than implementing a new JavaScript engine in Rust. (Even though a JS engine could benefit from parallelism in parsing and JIT-recompiling.)
    • But Servo is in proof-of-concept mode, so maybe this is fair.

Mobile (David Chan)

  • beta is slipping, potential release this week
  • there were discussions about moving off the train schedule

Sync (David Chan & Yvan Boily)

Services (David Chan & Yvan Boily)

  • queuey and metlog threatmodeling meetings coming up
  • token server needs a review

Social - Pancake (Mark Goodwin)

  • They've ripped out spider, headlines, etc
  • They've also removed MySQL for user data... and instead are using a "lightweight http user server" - which appears to currently be using sqlite (erk!)
  • Still very much in flux - joes have you seen any docs yet?

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

  • No mtg this week

JS (Christian Holler)

  • IncrementalGC landed
  • Focusing on IonMonkey for testing
    • Fuzzing by gkw and me on x86(-64)
    • Fuzzing on ARM soon when branch stabilizied
  • Found quite a few OOM bugs, we need better OOM testing (also applies to whole Firefox product), will be working on that with JS devs.
  • [gkw] Made substantial changes to jsfunfuzz w/ Jesse to test Incremental GC.
  • [gkw] Work progressing on integrating jsfunfuzz to Releng, advice from Jesse, nthomas
    • [gkw] Found some bugs in js shells that are created off tinderboxen

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

  • Marionette had a security review on Feb 13.
  • There were follow-ups on locking the pref for enabling Marionette.
    • Completed within a few days later.
  • Also poking around Peach.
  • [decoder] Made progress on getting jsfunfuzz/domfuzz to run on Tegra Pool with ADBFuzz, working with jmaher, ctalbert and wlach to integrate necessary changes to mozdevice.

Web Developer Tools (Mark Goodwin)

  • Lots for me to learn here
  • Starting to look at debugger
   - Do we need to fuzz the wire protocol?
  • New commands for GCLI need reviewing - will coordinate with dchan to get this looked at

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

mailed myk telling him we would be setting up a security review and asking him to foward any documentation he had that we could ramp up on.

Payment Flow (Raymond Forbes)

no update

App Sync (David Chan)

  • discussion between webapps and sync team continuing
  • encryption may change for appsync vs sync

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

Long discussion on authorization model. Setting up meeting iwth Ian Bicking and Mike Hanson to work through the issues.

BrowserID

  • No logs as of yet.

Identity Services (David Chan)

  • nothing new

Addons.M.O (Raymond Forbes)

no update

Bugzilla.M.O (Mark Goodwin & Eric Parker)

  • A few bugs spotted incoming; all appear to be under control
  • Might need some muscle to install ArcSight Connectors on zeus balancers

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()