Security/Reviews/WebTelephony

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Web Telephony
Target
   
     Full Query    
ID Summary Priority Status
747292 [Security Review] Web Telephony P1 RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

The given value "
   
     Full Query    
ID Summary Priority Status
747292 [Security Review] Web Telephony P1 RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Goals

  • allow web content to dial out
  • allow content to mediate incoming calls (accept/reject/merge)
  • allow content to query transceiver state

Bug:

Pages:

Changeset

Source:

Data Flow

Web Telephony is made up of the following components (from lowest level to highest level)

  • rild : the proprietary bit of code that talks to the proprietary modem firmware
  • rilproxy : the daemon that proxies messages between rild and Gecko (the b2g process)
  • Gecko (the b2g process) : implements the higher-level telephony stack

Note that this review does not include the UI application that actually makes and receives the phone calls (e.g. phone.gaiamobile.org). In the case of Gaia these are reviewed as part of a separate review. Note that a b2g device could ship with a completely different dialer application.

Answered Questions

  • Do pages have direct access to the audio streams of a phone call?
    • No
  • Can another application record audio while a call is underway?
    • Not sure, but probably not. Currently no, since no API to access audiostreams.
  • Are the audio streams buffered anywhere on disk or is there any local record of the call (if so, what data is stored)?
    • Not stored on disk at all. API doesn't store any records, although Gaia app would be expected to do so.

Permissions

=
Only certified apps can access this API

Permissions: Only dialer and homescreen would have this API

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

`

Any security threats already considered in the design and why?

`

Threat Brainstorming

Threat matrix here: https://wiki.mozilla.org/Security/WebAPI/Web_Telephony

  • Unauthorized content accesses the Web Telephony API
    App Permissions Model will enforce which apps can access which APIs  
    B2G security model will enforce permissions model at a process  level (ie less privileged process not allowed to send IPDL messages  even if permissions check fails at an API level) 
   Code review - review the checks which enforce this
  • Attack from radio network
    Code review  
    Fuzzing 
  • Bug in Web Telephony stack leads to code execution vulnerability
    Code review 
    Fuzzing 
    Limiting access to API 
  • Content spoofing phones dialer app
   Sort of a broader B2G issue (all apps could be spoofed) 
    Only high-privileged content process will have access to send dialer IPDL messages 
  • Content framing the dialer app
    Broader B2G issue 
    Only high-privileged content process will have access to send dialer IPDL messages 
  • Denial of Service on Dialer
   Would probably require permissions to launch these styles of attacks?  
  • Property "SecReview feature goal" (as page type) with input value "Goals
    • allow web content to dial out
    • allow content to mediate incoming calls (accept/reject/merge)
    • allow content to query transceiver state

    Bug:

    Pages:

    Changeset

    Source:

    Data Flow

    Web Telephony is made up of the following components (from lowest level to highest level)

    • rild : the proprietary bit of code that talks to the proprietary modem firmware
    • rilproxy : the daemon that proxies messages between rild and Gecko (the b2g process)
    • Gecko (the b2g process) : implements the higher-level telephony stack

    Note that this review does not include the UI application that actually makes and receives the phone calls (e.g. phone.gaiamobile.org). In the case of Gaia these are reviewed as part of a separate review. Note that a b2g device could ship with a completely different dialer application.

    Answered Questions

    • Do pages have direct access to the audio streams of a phone call?
      • No
    • Can another application record audio while a call is underway?
      • Not sure, but probably not. Currently no, since no API to access audiostreams.
    • Are the audio streams buffered anywhere on disk or is there any local record of the call (if so, what data is stored)?
      • Not stored on disk at all. API doesn't store any records, although Gaia app would be expected to do so.

    Permissions

    =
    Only certified apps can access this API
    
    
    Permissions: Only dialer and homescreen would have this API" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threat brainstorming" (as page type) with input value "Threat matrix here:

    https://wiki.mozilla.org/Security/WebAPI/Web_Telephony

    • Unauthorized content accesses the Web Telephony API
        App Permissions Model will enforce which apps can access which APIs  
    
        B2G security model will enforce permissions model at a process  level (ie less privileged process not allowed to send IPDL messages  even if permissions check fails at an API level) 
    
       Code review - review the checks which enforce this
    
    • Attack from radio network
        Code review  
    
        Fuzzing 
    
    • Bug in Web Telephony stack leads to code execution vulnerability
        Code review 
    
        Fuzzing 
    
        Limiting access to API 
    
    • Content spoofing phones dialer app
       Sort of a broader B2G issue (all apps could be spoofed) 
    
        Only high-privileged content process will have access to send dialer IPDL messages 
    
    • Content framing the dialer app
        Broader B2G issue 
    
        Only high-privileged content process will have access to send dialer IPDL messages 
    
    • Denial of Service on Dialer
    Would probably require permissions to launch these styles of attacks?" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
Who bug Action By When Completed date

[NEW] new [DONE] Done [MISSED] Miss

pauljt 763921 Security Code Review TBD [NEW] new
cdiehl 763922 Fuzzing AT commands TBD [NEW] new
pauljt 763924 Investigate malicious input from phone side TBD [NEW] new
pauljt 763925 Investigate audio issue further, testing audio, maybe need a function to turn off all audio TBD [NEW] new
Full Query
ID Summary Priority Status
763921 SecReview: WebTelephony - Securtiy Code Review -- RESOLVED
763922 SecReview: WebTelephony - Fuzzing AT Commands -- RESOLVED
763924 SecReview: WebTelephony - Investigate malicious input from phone side -- RESOLVED
763925 SecReview: WebTelephony - Investigate audio issue further, testing audio, maybe need a function to turn off all audio -- RESOLVED

4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%);

The given value "

Who bug Action By When Completed date [NEW] new [DONE] Done [MISSED] Miss


pauljt 763921 Security Code Review TBD [NEW] new


cdiehl 763922 Fuzzing AT commands TBD [NEW] new


pauljt 763924 Investigate malicious input from phone side TBD [NEW] new


pauljt 763925 Investigate audio issue further, testing audio, maybe need a function to turn off all audio TBD [NEW] new


Full Query
ID Summary Priority Status
763921 SecReview: WebTelephony - Securtiy Code Review -- RESOLVED
763922 SecReview: WebTelephony - Fuzzing AT Commands -- RESOLVED
763924 SecReview: WebTelephony - Investigate malicious input from phone side -- RESOLVED
763925 SecReview: WebTelephony - Investigate audio issue further, testing audio, maybe need a function to turn off all audio -- RESOLVED

4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.