Security/Meetings/SecurityAssurance/2012-10-16
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- [mcoates] Welcome Stefan Arentz
- https://twitter.com/satefan
- st3fan on irc.mozilla.org
- [mcoates] Goals - Q4 Goals Up - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
- [coates] FF Chemspill (from last week)
- https://bugzilla.mozilla.org/show_bug.cgi?id=799952
- Unit tests
- We seem to be afraid to check in unit tests for security bugs. As a result, we're missing a lot of coverage
- In the past we've considered having a private "shadow repository" for both security patches and tests. What if we had a private repository that's just for security tests?
- Timeline
- Public blog post disclosing the bug went up 10/10/2012
- Updates were pulled monday morning(?) (except automatic updates were already off because our release corresponded with Patch Tuesday)
- Blog post posted monday evening (150 comments!?) https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
- https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
- Tuesday morning patch out
- Determining the severity of the bug was fun. As disclosed, we argued about whether it was sg-moderate or sg-high. We were concerned that it might be possible to escalate to code exec, but then later realized that this part was mitigated (by the regressing bug!)
- We were surprised how much coverage the bug got in the press
- We'll have a post-mortem meeting Thursday at noon. Rather than flooding this meeting, please forward your input to Dan.
- [curtisk/yvan] Communications rotation revived
- Brown bags & blog posts
- https://intranet.mozilla.org/SecurityTeam:EditorialCalendar « will be redone, this is your chance to pick a post early
- Nov 9th, Limerick, Ireland. I'm doing a talk at the OWASP AppSec Workshop thingy. Details to follow.
- [curtisk] web bug verification rotation
- [psiinon] ZAP weekly builds
- [gkw] It will be nice for us to update the wiki on talks that members of our team gave/is giving
- We submitted two session proposals to MozCamp Asia 2012. We'll find out which were accepted.
- Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
Upcoming Speaking Engagements
- SkyDogCon - http://www.skydogcon.com/ (Nov 26-28)
- AppSecUSA - october 2
Security Review Status (koenig)
- Completed in Q3 2012: 56
- Number of Reviews Completed (so far this quarter):9(7)
- Number of Outstanding Reviews: 149 (138)
- Number of reviews without risk rating 29 (18)
- Number of reviews without deadline set 140 (129)
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- tests are still broken
- See https://bugzilla.mozilla.org/show_bug.cgi?id=798580 for status
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
- Rust 0.4 is out!
- 0.5 is likely to focus on "enabling the development of strong standard libraries": https://github.com/mozilla/rust/wiki/Note-0.5-priorities
- http://smallcultfollowing.com/babysteps/blog/2012/10/12/extending-the-definition-of-purity-in-rust/ sounds really cool
Mobile (Mark Goodwin)
- Secreview for Private Browsing on Monday
- Safe Browsing in Aurora :D
Sync (Simon Bennetts)
Services (Simon Bennetts & Adam Muntner)
Social - Pancake (Mark Goodwin)
- I think we can remove this from the template now
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- Regular fuzzing operations, no specific update
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- Sorting out unhiding issues w/ green Valgrind tbpl builds
Web Developer Tools (Mark Goodwin)
- Lots of work to do on remote tools
- Waiting for last few patches to arrive for chrome debugging
- I've been talking to Dave Camp about a non. priv UI for devtools. The remote-everything drive gives us lots of possibilities
Networking (Christoph Diehl)
- still working on WebRTC - no updates except crashes
Graphics (Christoph Diehl) =
- Tweaking fuzzer execution, current sample benchmark on MacOS 2.6GHz Core i7
Mutation of the ICO DataModel for 100 Files (3KB ICO with compressed PNG) Command: time ./peach.py -range 0 100 -pit Pits/Files/ICO/ico.xml Firefox -O1 debug ASan: 0m14.672s Firefox -O1 debug: 0m11.562s Firefox non-optimized debug ASan: 2m29.020s Safari release build: 0m9.248s
- Minimising our sample suite based on coverage.
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
- No update
Mozillians (Raymond Forbes)
MDN (Raymond Forbes)
SUMO (Kitsune) ()
AddressSanitizer (Christian Holler)
- No update