Community DLL Directory

Problems

Investigated top crash in Firefox 4, looking for ways to diagnose it. Looked through module list reports, saw unversioned DLL that we had never seen before. Fairly serious malware that had not been seen before.

• Google search used to be helpful, now lots of phishing/unreliable info in search results.
• No open/good/reliable sources for DLL information. There are proprietary databases available. Fast access/sharing is important.
• Namespace for DLLs is constantly growing; malware vendors randomly rename DLLs to avoid detection.
• Non-malware cases - looking into fast-rising crash, very highly correlated third-party DLL (turned out to be Silverlight). Some have cryptic names but valid.

Where this system should live

• want to avoid attacks on Socorro
• need to correlate with data in Socorro
  • need data from this system to get into Socorro
• linkifying
• the place where users collaborate and shows up in search engines should not be Socorro
  • Socorro can send data to and receive data from this separate system (Socorro API)

Community collaboration

• Anti-virus vendors tend to be very closed and well-connected in private channels. Getting A/V companies to participate in this system is desirable.
• There is a group "Soluto" which is trying to make an open app info database http://www.soluto.com/PCGenome/
• There are proprietary databases, but we would be constrained in how we could share that data (for example in bug reports, surfacing in Socorro)
• should this be an open, wiki-style system?
  • world-readable
  • basic trust/edit privilege system
    • could we use bugzilla accounts?
  • PHP docs for example allow comments from anyone, only trusted users can edit
• could SUMO (support.mozilla.org) be used a starting point?
  • this would be significantly more structured than SUMO
    • articles just blobs of text
    • no access controls on different bits of info in the wiki
  • different approval workflow than what we probably want
• does this need to be localized?
  • yes, localizable at least
  • there are cases of third-party software targetting geographical regions
  • likely to be pretty sparse (eg description)

Existing system

• dbaron's correlation reports
• ted/xstevens module list m/r job
  • whitelists Firefox DLLs, tries to pull others from MS symbol server
  • http://people.mozilla.com/~xstevens/modulelist/20110313-modulelist.txt (note: large file!)
• for legitimate software, could map debug ID to DLL hash
  • breakpad could collect more info locally
  • https://bugzilla.mozilla.org/show_bug.cgi?id=634726 - Collect MD5/SHA-1

Goals

• repository for collecting metadata about DLLs
  • malware
    • how to get anti-virus companies involved
  • legitimate third-party software
    • how can we get them to fix
• longer-term, community resource
• could be self-supporting

What to collect

• human readable name/description
• what is the function
• who is the vendor, and the distributors
• when was a dll first released, when was it obsoleted
• did some other dll replace it?
• MD5/SHA-1 hash of DLL file
• what resources / apis does the library use/touch
• is DLL signed? compressed? .net-clr?
• bugs that mention that DLL

Existing related bugs

• https://bugzilla.mozilla.org/show_bug.cgi?id=525098 - module checksum/version matching for socorro
• https://bugzilla.mozilla.org/show_bug.cgi?id=497876 - annotate known modules based on debug identifier
• https://bugzilla.mozilla.org/show_bug.cgi?id=441462 - Categorise modules with colors to improve readability
• https://bugzilla.mozilla.org/show_bug.cgi?id=424940 - please include VERSIONINFO from all libraries

Action items

• Socorro report (eg CSV) to retrieve the data needed
  • Kairo/Chofmann
• simple system can be bootstrapped to retrieve this data
  • Chofmann
• move this etherpad to wiki
• when and how to resource this (Laura)