Security/Meetings/SecurityAssurance/2012-07-03
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Michal Purzynski (:michal`)
- London work week agenda - https://etherpad.mozilla.org/security-assurance-london
- Q2 - https://intranet.mozilla.org/2012Q2Goals#Security_Assurance (yay us!)
- July 4th is a US holiday on Wednesday this week
- [decoder] Initial shot at running our tests (mochitests, make check, crashtest, reftest, jstests, jit-test) with gcov instrumentation for coverage measurement: http://users.own-hero.net/~decoder/mc-tests-all/
- You should let more than just the security team know :) I bet a-team and developers will be interested. => Mail is already out ;) Where did you send it? dveditz sent it to bmoss and some other people. dev-platform or something would be good. true, currently trying to find out first if the data is even reliable :)
- 100% code coverage is no guarantee. It's a useful tool but don't expect a silver bullet. "How to misuse code coverage" (from a code coverage tool author, so not a naysayer) http://www.exampler.com/testing-com/writings/coverage.pdf
- Will have fuzzer coverage soon too
- Maybe we'll ask developers to increase test coverage in scary / security-related files
- Can add dynamic instrumentation to non-covered code (decoder has done the hard parts already with LLVM) in order to semi-automatically create regression tests
- You can also put assertions into the code and recompile of course :D
- Yes, more assertions do not hurt + it's compatible with the fuzzers out of the box.
- Maybe it's possible to come up with a simple script that adds assertions to uncovered branches, not sure how easy it is :)
- You can also put assertions into the code and recompile of course :D
- [decoder] Daily MacOSX builds for with ASan now at http://people.mozilla.org/~choller/firefox/asan/
Security Review Status (koenig)
- Completed in Q2 2012: 44
- Number of Reviews Completed (so far this quarter):
- Number of Outstanding Reviews:
- Number of Reviews Completed:
- Number of Outstanding Reviews:
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
Sync (Simon Bennetts & Adam Muntner)
Social API (Simon Bennetts & Adam Muntner)
I need a better explanation of what our expectations are regarding code that will be landed in nightly. (adam)
Services (Simon Bennetts & Adam Muntner)
Social - Pancake (Mark Goodwin)
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- [decoder] IonMonkey will probably not land until 2-3 weeks, currently gated only on passing JM+TI on benchmarks.
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- No update
Web Developer Tools (Mark Goodwin)
Networking (Christoph Diehl)
- Added ASN.1 fuzzing construct
- Added MIME fuzzer for https://bugzilla.mozilla.org/show_bug.cgi?id=744952
Graphics (Christoph Diehl) =
- No update
== Networking ( Media / Codecs) == <-- Should this be changed to "Media"?
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
App Sync (David Chan)
No update
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
- 3rd party review kick off on friday
Identity Services (David Chan)
No update - bug 770302 and 770306 were reported and resolved
