Security/Sandbox/2018-04-12

< Security‎ | Sandbox

tjr

  • Getting MinGW x64 Running
    • First: Getting it debuggable with symbols
    • Written my own PE Parser.
    • Patched and Cross-Compiled gdb x86 and x64
    • Have written my own DWARF parser. It has been running for 7 hours. DWARF is horrible. ASN1 looks like CSV next to DWARF.
  • Timer Intermittents
  • Followup from a previous bug. I had asked about ways to put in a debugging message; got pointed at NS_WARNING
    • Problem: Issue only occurs in opt builds. Is there anything between MOZ_LOG (which would require people to set the correct flag) and MOZ_RELEASE_ASSERT ?

Alex_Gaynor

  • IPC Fuzzer
    • bug 1452625 - bumped in-tree copy of libFuzzer (to bring in a change I made upstream)
    • bug 1451859 - put WIP patch on phabricator (haven't updated in a week though)
    • Fixed file descriptor leak
    • Fuzzer doesn't appear to ever make its way into AllocPBrowserParent, trying to figure out why
  • We now have access to a SQL-for-code tool for doing custom static analysis!
    • Used it to find all instance of a bad pattern in our IPC
    • lgtm.com
  • IPC fixes
  • Filed bug 1453338 - make it possible to implement IPDL protocols in Rust. Don't intend to work on it, but I can dream!

bobowen

  • bug 1452090 - Only enable handle verifier on 32-bit Nightly and debug builds
    • Landed. No hits yet, might see if release management are receptive to turning it on for EARLY_BETA_OR_EARLIER.
    • Tiny follow-up bug 1453639 - Call InitializeHandleVerifier before other sandbox calls.
    • Looks like preceding changes, have made a least one sec-bug now a safe crash.
  • bug 1451376 - Fixed on m-c, beta and esr52.
  • Canvas remoting.
    • Have a grasp on this code now.
    • Working on a version that just records in memory and passes whole recording via shmem.
    • Will then start looking into streaming the recording as it is records.

gcp

  • reviews
  • bug 1129492 Firefox content process has a live connection to the X11 server.
  • integrate X proxy in content process launch

jld

  • …why did the font size in Etherpad change.
  • The last (I hope?) 60 regressions are uplifted (sudo firefox, Snap vs. network namespace)
  • To do: write some kind of announcement about the sandbox improvements in 60
  • Some IPC things that were annoying me:
    • bug 1436156 - CHECK() being a warning
    • bug 1278361 - double close on EINTR (maybe responsible for the mysterious EOFs)
    • bug 1401776 - raise file descriptor limits
    • (Because I went searching for "Sandbox: Unexpected EOF" and found some untriaged dups of those last two)
  • bug 1439057 - Dusting off /dev/shm access changes
    • The plan of passing the broker across exec has some issues
    • But I have another plan; see my last comment
  • Reviews.
  • (Somehow we wound up talking about information-theoretic entropy vs. thermodynamic entropy, and I threatened to go find my undergrad thermodynamics text.)

haik

  • bug 1395504 - Infinite hang of web content process when parent process crashes
    • Root caused to be a breakpad bug
  • bug 1452278 - [Mac] Make nsOSHelperAppService::GetFromTypeAndExtension() not call OS MIME API's in content
    • Looking into moving all Mac MIME-related into parent, making child nsOSHelperAppService generic
  • #25737 Tor Browser's update check bypassed Tor once on macos, because of xpcproxy?
  • Will miss plat integration meeting due to appt.

handyman

  • bug 1366256 - NPAPI sandbox level 3
    • Win10 loaners dont grant admin access so no debugger.
  • bug 1446499 - FunctionHook::HookProtectedMode should be persistent
    • uplifted

Round Table

  • On win32k lockdown, assuming no major developments, we have separation area pinpointed for canvas and webgl. SHIPIT!
    • ballpark time frame for these projects based on what we know now (in quarters)
  • Itemize performance tests we'll use as release criteria for win32k lockdown
  • Trade-off decision(s) over the next three quarters: win32k lockdown on Windows vs. mixed hardening work?
    • webrenderer will ship in 64 to 4% of release population (assuming it ships on current schedule).
    • 66 is the pwn2own 2019 challenge release: 11-26-18 - nightly, 1-7-19 uplift to beta
    • when would we enable win32k lockdown on nightly for testing?
    • I don't see us shipping this in 66 without pixie dust