Security/Reviews/WebTelephony
Jump to navigation
Jump to search
Full Query
Full Query
Please use "Edit with form" above to edit this page.
Item Reviewed
| Web Telephony | |||||||||
| Target |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%); |
||||||||
{{#set:SecReview name=Web Telephony
|SecReview target=
| ID | Summary | Priority | Status |
|---|---|---|---|
| 747292 | [Security Review] Web Telephony | P1 | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
Goals
- allow web content to dial out
- allow content to mediate incoming calls (accept/reject/merge)
- allow content to query transceiver state
Bug:
- B2G Meta telephony bug https://bugzilla.mozilla.org/show_bug.cgi?id=699235
- Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
Pages:
- https://wiki.mozilla.org/B2G/RIL
- Detailed code walkthrough for receive call case: https://wiki.mozilla.org/B2G/Architecture#RIL:_Telephony
- http://hacks.mozilla.org/2012/03/webtelephony-api-and-websms-api-part-of-webapi/
Changeset
Source:
- http://mxr.mozilla.org/mozilla-central/source/dom/telephony/
- https://github.com/mozilla-b2g/android-hardware-ril/blob/master/include/telephony/ril.h
Data Flow
Web Telephony is made up of the following components (from lowest level to highest level)
- rild : the proprietary bit of code that talks to the proprietary modem firmware
- rilproxy : the daemon that proxies messages between rild and Gecko (the b2g process)
- Gecko (the b2g process) : implements the higher-level telephony stack
Note that this review does not include the UI application that actually makes and receives the phone calls (e.g. phone.gaiamobile.org). In the case of Gaia these are reviewed as part of a separate review. Note that a b2g device could ship with a completely different dialer application.
Answered Questions
- Do pages have direct access to the audio streams of a phone call?
- No
- Can another application record audio while a call is underway?
- Not sure, but probably not. Currently no, since no API to access audiostreams.
- Are the audio streams buffered anywhere on disk or is there any local record of the call (if so, what data is stored)?
- Not stored on disk at all. API doesn't store any records, although Gaia app would be expected to do so.
Permissions
=
Only certified apps can access this API Permissions: Only dialer and homescreen would have this API
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
`
Any security threats already considered in the design and why?
`
Threat Brainstorming
Threat matrix here: https://wiki.mozilla.org/Security/WebAPI/Web_Telephony
- Unauthorized content accesses the Web Telephony API
App Permissions Model will enforce which apps can access which APIs
B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level)
Code review - review the checks which enforce this
- Attack from radio network
Code review
Fuzzing
- Bug in Web Telephony stack leads to code execution vulnerability
Code review
Fuzzing
Limiting access to API
- Content spoofing phones dialer app
Sort of a broader B2G issue (all apps could be spoofed)
Only high-privileged content process will have access to send dialer IPDL messages
- Content framing the dialer app
Broader B2G issue
Only high-privileged content process will have access to send dialer IPDL messages
- Denial of Service on Dialer
Would probably require permissions to launch these styles of attacks?
{{#set: SecReview feature goal=Goals
- allow web content to dial out
- allow content to mediate incoming calls (accept/reject/merge)
- allow content to query transceiver state
Bug:
- B2G Meta telephony bug https://bugzilla.mozilla.org/show_bug.cgi?id=699235
- Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
Pages:
- https://wiki.mozilla.org/B2G/RIL
- Detailed code walkthrough for receive call case: https://wiki.mozilla.org/B2G/Architecture#RIL:_Telephony
- http://hacks.mozilla.org/2012/03/webtelephony-api-and-websms-api-part-of-webapi/
Changeset
Source:
- http://mxr.mozilla.org/mozilla-central/source/dom/telephony/
- https://github.com/mozilla-b2g/android-hardware-ril/blob/master/include/telephony/ril.h
Data Flow
Web Telephony is made up of the following components (from lowest level to highest level)
- rild : the proprietary bit of code that talks to the proprietary modem firmware
- rilproxy : the daemon that proxies messages between rild and Gecko (the b2g process)
- Gecko (the b2g process) : implements the higher-level telephony stack
Note that this review does not include the UI application that actually makes and receives the phone calls (e.g. phone.gaiamobile.org). In the case of Gaia these are reviewed as part of a separate review. Note that a b2g device could ship with a completely different dialer application.
Answered Questions
- Do pages have direct access to the audio streams of a phone call?
- No
- Can another application record audio while a call is underway?
- Not sure, but probably not. Currently no, since no API to access audiostreams.
- Are the audio streams buffered anywhere on disk or is there any local record of the call (if so, what data is stored)?
- Not stored on disk at all. API doesn't store any records, although Gaia app would be expected to do so.
Permissions
=
Only certified apps can access this API Permissions: Only dialer and homescreen would have this API
|SecReview alt solutions=' |SecReview solution chosen=' |SecReview threats considered=' |SecReview threat brainstorming=Threat matrix here: https://wiki.mozilla.org/Security/WebAPI/Web_Telephony
- Unauthorized content accesses the Web Telephony API
App Permissions Model will enforce which apps can access which APIs
B2G security model will enforce permissions model at a process level (ie less privileged process not allowed to send IPDL messages even if permissions check fails at an API level)
Code review - review the checks which enforce this
- Attack from radio network
Code review
Fuzzing
- Bug in Web Telephony stack leads to code execution vulnerability
Code review
Fuzzing
Limiting access to API
- Content spoofing phones dialer app
Sort of a broader B2G issue (all apps could be spoofed)
Only high-privileged content process will have access to send dialer IPDL messages
- Content framing the dialer app
Broader B2G issue
Only high-privileged content process will have access to send dialer IPDL messages
- Denial of Service on Dialer
Would probably require permissions to launch these styles of attacks?
}}
Action Items
| Action Item Status | In Progress | |||||||||||||||||||||||||||||||||||||||||||||
| Release Target | ` | |||||||||||||||||||||||||||||||||||||||||||||
| Action Items | ||||||||||||||||||||||||||||||||||||||||||||||
4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%); |
||||||||||||||||||||||||||||||||||||||||||||||
{{#set:|SecReview action item status=In Progress
|Feature version=`
|SecReview action items=
| Who | bug | Action | By When | Completed date
[NEW] new [DONE] Done [MISSED] Miss |
| pauljt | 763921 | Security Code Review | TBD | [NEW] new |
| cdiehl | 763922 | Fuzzing AT commands | TBD | [NEW] new |
| pauljt | 763924 | Investigate malicious input from phone side | TBD | [NEW] new |
| pauljt | 763925 | Investigate audio issue further, testing audio, maybe need a function to turn off all audio | TBD | [NEW] new |
| ID | Summary | Priority | Status |
|---|---|---|---|
| 763921 | SecReview: WebTelephony - Securtiy Code Review | -- | RESOLVED |
| 763922 | SecReview: WebTelephony - Fuzzing AT Commands | -- | RESOLVED |
| 763924 | SecReview: WebTelephony - Investigate malicious input from phone side | -- | RESOLVED |
| 763925 | SecReview: WebTelephony - Investigate audio issue further, testing audio, maybe need a function to turn off all audio | -- | RESOLVED |
4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%);
}}