Security/Sandbox/2016-09-08

« previous week | index | next week »

• bug 1287426 - Update security/sandbox/chromium/ to Chromium stable channel version 49.0.2623.112
  • landed.
• bug 1259601 - Add sandbox status to about:support (added security.sandbox.content.level for all OS)
  • uplifted to Aurora
• bug 1259087 - Add Windows sandboxing information to Telemetry (added security.sandbox.content.level to environment for all OS)
  • landed and uplifted.
• bug 1301034 - Log when non-static file policy AddRule calls fail in Windows SandboxBroker
  • this is for GMP problem diagnoses mainly, I'll pick up this week.
• Started looking at a separate process for file:// URLs, have rough understanding of the js/c++ code associated with this now, nothing working yet. Need to find an appropriate bug to take.

• Currently at the WW in Berlin (somewhat limited in my time)
• bug 977786 - reviewed nsProfileLock test
• bug 1289718 - Construct policy - looking at patches from :gcp for review (not quite done yet)
• bug 1104619 - Remote audio - making some progress

• bug 1228022 - Trigger print jobs from the parent instead of the child for OSX - working on code review feedback
• bug 1290619 - Content sandbox rules should use actual profile directory, not Profiles/*/ regex's - re-review done, should be ready to land today
• bug 1299329 - Remove printing-related privileges from content process sandbox - testing with things that sound print-related removed

• Reviewing patches for bug 1289718

• Finished up filesystem broker (bug 1289718)
• Reviewing XRemote patches
• Updated desktop

• bug 1251202 - Implement Default Audio Device Notifications for NPAPI plugins on Windows
  • At the testing phase
  • Might have made a few funky architectural decisions to clean up
• bug 1241250 - Prezi frozen at loading on fresh profile with latest Nightly 64 bits
  • Just in : Looks to be fixed downstream by Prezi...
• bug 1299611 - Adding policy rules to the Windows sandbox can cause a buffer overrun
  • Passed to Chromium to be patched upstream

Auditing/Investigation

• manual auditing message manager
  • Investigating options to write a fuzzer to test message manager
  • (https://docs.google.com/spreadsheets/d/1YnOFWatdnSBEvDKHLQV4DFngNuwC1Kkb2hZShV1cVx0/edit?ts=57b2f273#gid=35305492)
• Auditing IPDL
  • Starting manual review process
    • See https://docs.google.com/spreadsheets/d/17wvJPTfKto8abz7UD2NoPTebNYoV-dh60ejeCx84Vkw (in progress)
  • Need to prioritize getting chromium fuzzer ported to give the ability to test firing specific IPDL from child to parent
• File Usage Investigation
  • lldb/scripting based approach to dump file usage (names and stack traces)
  • kate has wrote some scripts which can be used to help investigate file syscall usage (dump stacks/filenames from lldb). Private repo for now (WIP, contact for access) will publish in the future.
  • Findings collected in https://docs.google.com/a/mozilla.com/spreadsheets/d/1hYJ_6YooHqISteeObO2kq_ywQxkHYl5PMVRbxI1jBFE traces tab (in progress)

Security Model

• Closer to complete security model
• Still some specific areas outstanding (TLS, addons esp. addon SDK notably)
• publish to wiki and integrate with existing content

Maintaining a secure sandbox

• point of a approval for landing?
• sandbox changes
• architectural changes which impact sandbox (e.g. changes to remoted APIs which move security boundaries)

Next Steps

• continue auditing the code to determine if gecko parts conform to security model
  • First pass of IPDL audit, complete message manager audit
• engage additional resources to get chromium fuzzer work started
• fuzzing is working on fuzzer for message manager (aim to complete this month)
• get the security model up onto the wiki

• bug 1186187 - SandboxMirror kernel extension to help reverse engineer Apple's sandbox implementation