Security/Automation/WinterOfSecurity2014: Difference between revisions
|  (→Media) | |||
| (48 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| = Winter Of Security 2014 = | = Winter Of Security 2014 = | ||
| The Winter of Security is a project of  | [[File:WinterOfSecurity_logo_light_horizontal.png|right|500px]] | ||
| The Winter of Security (MWOS) is Mozilla's program to involve students with Security projects. Students who have to perform a semester project as part of their university curriculum can apply to one of the MWOS project. Projects are guided by a Mozilla Adviser, and a University Professor. Students are graded by their University, based on success criteria identified at the beginning of the project. Mozilla Advisers allocate up to 2 hours each week to their students, typically on video-conference, to discuss progress and roadblocks. | |||
| Projects are focused on building security tools, and students are expected to write code which must be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. Mozilla does not influence the way grades are allocated, but advisers will provide any information professors need in order to grade their students. | |||
| Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language. | |||
| == Selection process == | == Selection process == | ||
| Line 12: | Line 16: | ||
| * links to relevant resources (university website, resumes, ...) | * links to relevant resources (university website, resumes, ...) | ||
| ==  | '''UPDATE: Application to the 2014 edition of Mozilla Winter of Security are now closed.''' | ||
| == Timeline == | |||
| The application deadline is July 15th, 2014. We will take a few weeks to review all applications and inform the candidates by middle of August.  | |||
| The students and their professor can decide on the timeline, and make sure that it fits well with other classes. | |||
| Ideally, projects should not take more than 6 months from start to finish. | |||
| Mozilla advisors will be available weekly on video (Vidyo, Google Hangout or Skype) to discuss progress and roadblocks, and provide help. Professors can set intermediary deadlines if needed, and have complete control over the grading of their students. | |||
| == Student projects == | |||
| === Web Security === | === Web Security === | ||
| ==== ScanJS: Contribute to a JavaScript source code analyzer ==== | ==== ScanJS: Contribute to a JavaScript source code analyzer ==== | ||
| *  | * Mozilla Advisor: [https://mozillians.org/en-US/u/freddyb/ Frederik Braun] | ||
| * difficulty: high | * difficulty: high | ||
| * language: english | * language: english or german | ||
| [https://github.com/mozilla/scanjs ScanJS] is a JavaScript  | [https://github.com/mozilla/scanjs ScanJS] is a JavaScript source code analyzer written in JavaScript. It helps reviewing and testing open web apps for security vulnerabilities. The goal of this project is to contribute to ScanJS by taking some [https://github.com/mozilla/scanjs/issues known issues] and improve the tool's capabilities. Students are also encouraged to explore areas of Javascript static analysis and contribute their findings to ScanJS. You can test ScanJS at this [http://mozilla.github.io/scanjs/client/ demo page] by uploading a JavaScript file (or a ZIP file containing multiple files - like Firefox OS apps). | ||
| ==== OWASP ZAP: Scripted Add-ons ==== | |||
| * Mozilla Advisor: [https://mozillians.org/en-US/u/psiinon/ Simon Bennetts] | |||
| * difficulty: medium | |||
| * language: English | |||
| [https://www.owasp.org/index.php/ZAP ZAP] supports all JSR 223 scripting languages, but only for a limited number of purposes. This development would allow 'full' add-ons to be written in any JSR 223 language. | |||
| ZAP is the most active OWASP project and was voted the most popular security tool of 2013 by ToolsWatch.org readers. It is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. | |||
| ==== OWASP ZAP: AMF Support ==== | |||
| * Mozilla Advisor: [https://mozillians.org/en-US/u/psiinon/ Simon Bennetts] | |||
| * difficulty: medium | |||
| * language: English | |||
| [https://www.owasp.org/index.php/ZAP ZAP] has only very limited support for AMF and does not provide an effective graphical representation of it. This development will add full support for AMF.  | |||
| ZAP is the most active OWASP project and was voted the most popular security tool of 2013 by ToolsWatch.org reeaders. It is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. | |||
| === Forensic === | === Forensic === | ||
| ==== Cross-platform memory scanning in Go ==== | ==== Cross-platform memory scanning in Go ==== | ||
| *  | * Mozilla Advisor: [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] | ||
| * difficulty: high | * difficulty: high | ||
| * language: english or french | * language: english or french | ||
| The Mozilla InvestiGator (MIG) project needs a way to inspect the content of the memory of a system, and detect threats. The typical approach in memory forensic is to dump the memory of a system, and perform analysis on another system, using tools like Volatility. We are looking for an approach that is less invasive, where an agent running on a target system can inspect its own memory without disrupting operations. Existing libraries, such as Volatility, are hard to ship to remote systems because of their size and dependencies. The goal of this project is to design and code a lean, cross-platform, memory inspection library in the Go language that can be integrated into MIG. | The [https://github.com/mozilla/mig/ Mozilla InvestiGator (MIG)] project needs a way to inspect the content of the memory of a system, and detect threats. The typical approach in memory forensic is to dump the memory of a system, and perform analysis on another system, using tools like [https://code.google.com/p/volatility/ Volatility]. We are looking for an approach that is less invasive, where an agent running on a target system can inspect its own memory without disrupting operations. Existing libraries, such as Volatility, are hard to ship to remote systems because of their size and dependencies. The goal of this project is to design and code a lean, cross-platform, memory inspection library in the Go language that can be integrated into MIG. | ||
| This project is an opportunity for a group of students to take a close look at memory forensic across all operating systems. | This project is an opportunity for a group of students to take a close look at memory forensic across all operating systems. | ||
| === Network Security === | === Network & System Security === | ||
| ====  | ==== Cross-platform firewall driver in Go ==== | ||
| *  | * Mozilla Advisor: [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] | ||
| * difficulty: medium | * difficulty: medium | ||
| * language: english | * language: english or french | ||
| The [https://github.com/mozilla/mig/ Mozilla InvestiGator (MIG)] is designing to detect and respond to threats. One way of responding to an attack is to create firewall rules on the local host to block an IP, or a particular connection. The goal of this project is to create a library in the Go language that can create and delete firewall rules on Windows ([http://msdn.microsoft.com/en-us/library/windows/desktop/dd339609%28v=vs.85%29.aspx example]), MacOS and Linux (iptables and ntables). The library should also be able to retrieve a ruleset from a host in a standardized format (JSON). | |||
| This project is an opportunity for a group of students to take a close look at firewall management on the major operating systems. | |||
| ====  | ==== Linux Audit heka plugin (Go) ==== | ||
| *  | * Mozilla Advisor: [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] | ||
| * difficulty: medium | * difficulty: medium | ||
| * language: english or french | * language: english or french | ||
| Heka is a Mozilla project for logs routing, analysis, etc. (see http://hekad.readthedocs.org/en/latest/). | |||
| Linux Audit logs are collecting various system calls and events in order to send them to a C user space program (auditd) over the netlink protocol. A Mozilla C plugin (https://github.com/gdestuynder/audisp-cef) currently correlate, transforms, and send these events back to our logging architecture. | |||
| This project aims to replace the C program and C plugin by a Go Heka plugin. | |||
| ==== Passive vulnerability scanning ==== | |||
| * Mozilla Advisor: [https://mozillians.org/en-US/u/michalpurzynski/ Michal Purzynski] | |||
| * difficulty: high | |||
| * language: english or polish | |||
| The vulnerability management process needs a knowledge to prioritize patching. Many large organizations cannot patch everything and there is always a decision to be made - what gets patched in the first place? In order to make such a decisions, one needs to learn what kind of vulnerable software is running on systems and talking over the network. The traditional way of doing it is by logging into each server and running a query against the software database and compare versions with a vulnerability list. This does not work well for a few reasons, such as leaving out potentially vulnerable systems that one can’t log into (appliances, unmanaged legacy systems, unsupported operating systems, etc). End users systems are also often left out, and with the days of BYOD, one cannot assume that all clients are managed. | |||
| The goal of this project is to use passive network monitoring to discover softwares (and versions) on the network, and build a reliable database that can be used as the input to the patching process. There is a lot of information on the network layer, such as user agents, versions, etc. One of the bigger challenges here will be to filter out the noise without losing data in the process - there is no such a thing as ’standardized user agent format’. Classic network monitoring techniques coupled with statistical methods might help here as well. | |||
| === Cryptography === | === Cryptography === | ||
| ==== Compliance checking of TLS configuration ==== | ==== Compliance checking of TLS configuration ==== | ||
| *  | * Mozilla Advisor: [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] | ||
| * difficulty:  | * difficulty: medium | ||
| * language: english or french | * language: english or french | ||
| Mozilla maintains guidelines for server side configurations of SSL/TLS. The goal of this project is to build a tool that verifies compliance of a configuration with our guidelines, and help the administrators improve their security. It is very similar in philosophy to project like SSL Labs, but with a  | Mozilla maintains guidelines for [[Security/Server_Side_TLS|server side configurations of SSL/TLS]] that we use to guide the deployment of secure channels everywhere. The goal of this project is to build a tool that verifies compliance of a configuration with our guidelines, and help the administrators improve their security. The tool must be able to evaluate the quality of ciphers, detect required features such as OCSP stapling, and evaluate certificates. It is very similar in philosophy to project like SSL Labs and [https://github.com/jvehent/cipherscan Cipherscan], but mixed with a certificate observatory. The end goal is to help administrators reach a better security level, and measure compliance against Mozilla's policies. The team will be free of reusing existing tools, or build a new one from scratch. | ||
| === Identity Management === | |||
| ==== Make Multi-Factor Authentication for OpenVPN a first class citizen ==== | |||
| * Mozilla Advisor: [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] | |||
| * difficulty: medium | |||
| * language: english, french | |||
| * Required skills: C | |||
| Mozilla uses OpenVPN with MFA via deferred C plugins and pythons scripts. However, there are several caveats that require non-plugin based modifications, such as One Time Passwords (OTP) client input and session tracking. The goal of this project is to research and provide a first class user experience when using MFA with OpenVPN, and contribute it to the Open Source OpenVPN project. | |||
| === Risk Management === | === Risk Management === | ||
| ====  | ==== An online threat modeling tool ==== | ||
| *  | * Mozilla Advisor: [https://mozillians.org/en-US/u/curtisk/ Curtis Koenig] | ||
| * difficulty: medium | * difficulty: medium | ||
| * language: english | * language: english | ||
| Threat modelling is an important part of designing an application, and a threat model diagram is a very useful way to document the threats that apply to your application. | |||
| Unfortunately there are a very limited number of threat modelling tools available, and most of those are restricted to specific platforms. | |||
| This project is to create an online HTML5 application which will allow the user to easily create threat model diagrams online. | |||
| It should be very easy to use, and allow the diagrams to be exported in the most common image formats. | |||
| The graphical elements of the [https://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx Microsoft Threat Modeling tool] are a good example of the type of functionality required. | |||
| == FAQ == | |||
| * What is meant by "Presentation of the University program" in the application form? | |||
| We would like to see what kind of degree your are currently pursuing (e.g. Bachelor of Science in Computer Science or Master of Science in IT Security, ..), as well as a description of the University itself. This is another data point that gives us more information about the applicants' chances to successfully complete a project. | |||
| * Can students apply to multiple projects? | |||
| Yes. Students can apply to one or more projects. Students cannot apply twice for the same project, even if their team compositions varies. | |||
| * What criteria will you use to select the candidates? | |||
| The skills and passion of the team members are key points. The size of the team may play in the favor of applicants, but is not a requirement. A single candidate who can show a portfolio of successful projects will have the same chances as larger teams. | |||
| Commitment from the University is a strong requirement. Students need to demonstrate that their professors support them, and will give them time to work on the projects. The ideal situation is for a team to pick a MWoS project as their final thesis, and work on the project for a full semester. Not all students will be able to do so, and we will evaluate all applications with the same level of scrutiny. | |||
| * Can I still work on Mozilla projects if I am not selected for MWoS? | |||
| Yes! We continuously have projects that are available for students to grab! Take a look at the [[Security/Mentorship|Mentorship]] program, and reach out to us in the #security IRC channel if you are interested. | |||
| == Media == | |||
| [[File:WinterOfSecurity_logo_light_horizontal.png|400px]] | |||
| [[File:WinterOfSecurity_logo_dark_horizontal.png|400px]] | |||
| [[File:WinterOfSecurity_logo_light_vertical.png|300px]] | |||
| [[File:WinterOfSecurity_logo_dark_vertical2.png|300px]] | |||
Latest revision as of 13:16, 19 July 2014
Winter Of Security 2014
The Winter of Security (MWOS) is Mozilla's program to involve students with Security projects. Students who have to perform a semester project as part of their university curriculum can apply to one of the MWOS project. Projects are guided by a Mozilla Adviser, and a University Professor. Students are graded by their University, based on success criteria identified at the beginning of the project. Mozilla Advisers allocate up to 2 hours each week to their students, typically on video-conference, to discuss progress and roadblocks.
Projects are focused on building security tools, and students are expected to write code which must be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. Mozilla does not influence the way grades are allocated, but advisers will provide any information professors need in order to grade their students.
Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.
Selection process
Projects are assigned to groups of students. Groups are defined by the universities, and can be of any size between 1 and 4 students. The selection process is open to all students in undergraduate/license and graduate/master programs. A group applies to up to 3 projects by submitting an application that contains:
- the names of the projects the team is applying to
- team introduction and motivation (max 1000 characters)
- presentation of the university program (max 500 characters)
- short description of each team member (skills, interest, ...) (max 500 character for each team member)
- links to relevant resources (university website, resumes, ...)
UPDATE: Application to the 2014 edition of Mozilla Winter of Security are now closed.
Timeline
The application deadline is July 15th, 2014. We will take a few weeks to review all applications and inform the candidates by middle of August. The students and their professor can decide on the timeline, and make sure that it fits well with other classes. Ideally, projects should not take more than 6 months from start to finish. Mozilla advisors will be available weekly on video (Vidyo, Google Hangout or Skype) to discuss progress and roadblocks, and provide help. Professors can set intermediary deadlines if needed, and have complete control over the grading of their students.
Student projects
Web Security
ScanJS: Contribute to a JavaScript source code analyzer
- Mozilla Advisor: Frederik Braun
- difficulty: high
- language: english or german
ScanJS is a JavaScript source code analyzer written in JavaScript. It helps reviewing and testing open web apps for security vulnerabilities. The goal of this project is to contribute to ScanJS by taking some known issues and improve the tool's capabilities. Students are also encouraged to explore areas of Javascript static analysis and contribute their findings to ScanJS. You can test ScanJS at this demo page by uploading a JavaScript file (or a ZIP file containing multiple files - like Firefox OS apps).
OWASP ZAP: Scripted Add-ons
- Mozilla Advisor: Simon Bennetts
- difficulty: medium
- language: English
ZAP supports all JSR 223 scripting languages, but only for a limited number of purposes. This development would allow 'full' add-ons to be written in any JSR 223 language.
ZAP is the most active OWASP project and was voted the most popular security tool of 2013 by ToolsWatch.org readers. It is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
OWASP ZAP: AMF Support
- Mozilla Advisor: Simon Bennetts
- difficulty: medium
- language: English
ZAP has only very limited support for AMF and does not provide an effective graphical representation of it. This development will add full support for AMF.
ZAP is the most active OWASP project and was voted the most popular security tool of 2013 by ToolsWatch.org reeaders. It is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
Forensic
Cross-platform memory scanning in Go
- Mozilla Advisor: Julien Vehent
- difficulty: high
- language: english or french
The Mozilla InvestiGator (MIG) project needs a way to inspect the content of the memory of a system, and detect threats. The typical approach in memory forensic is to dump the memory of a system, and perform analysis on another system, using tools like Volatility. We are looking for an approach that is less invasive, where an agent running on a target system can inspect its own memory without disrupting operations. Existing libraries, such as Volatility, are hard to ship to remote systems because of their size and dependencies. The goal of this project is to design and code a lean, cross-platform, memory inspection library in the Go language that can be integrated into MIG. This project is an opportunity for a group of students to take a close look at memory forensic across all operating systems.
Network & System Security
Cross-platform firewall driver in Go
- Mozilla Advisor: Julien Vehent
- difficulty: medium
- language: english or french
The Mozilla InvestiGator (MIG) is designing to detect and respond to threats. One way of responding to an attack is to create firewall rules on the local host to block an IP, or a particular connection. The goal of this project is to create a library in the Go language that can create and delete firewall rules on Windows (example), MacOS and Linux (iptables and ntables). The library should also be able to retrieve a ruleset from a host in a standardized format (JSON). This project is an opportunity for a group of students to take a close look at firewall management on the major operating systems.
Linux Audit heka plugin (Go)
- Mozilla Advisor: Guillaume Destuynder
- difficulty: medium
- language: english or french
Heka is a Mozilla project for logs routing, analysis, etc. (see http://hekad.readthedocs.org/en/latest/). Linux Audit logs are collecting various system calls and events in order to send them to a C user space program (auditd) over the netlink protocol. A Mozilla C plugin (https://github.com/gdestuynder/audisp-cef) currently correlate, transforms, and send these events back to our logging architecture. This project aims to replace the C program and C plugin by a Go Heka plugin.
Passive vulnerability scanning
- Mozilla Advisor: Michal Purzynski
- difficulty: high
- language: english or polish
The vulnerability management process needs a knowledge to prioritize patching. Many large organizations cannot patch everything and there is always a decision to be made - what gets patched in the first place? In order to make such a decisions, one needs to learn what kind of vulnerable software is running on systems and talking over the network. The traditional way of doing it is by logging into each server and running a query against the software database and compare versions with a vulnerability list. This does not work well for a few reasons, such as leaving out potentially vulnerable systems that one can’t log into (appliances, unmanaged legacy systems, unsupported operating systems, etc). End users systems are also often left out, and with the days of BYOD, one cannot assume that all clients are managed.
The goal of this project is to use passive network monitoring to discover softwares (and versions) on the network, and build a reliable database that can be used as the input to the patching process. There is a lot of information on the network layer, such as user agents, versions, etc. One of the bigger challenges here will be to filter out the noise without losing data in the process - there is no such a thing as ’standardized user agent format’. Classic network monitoring techniques coupled with statistical methods might help here as well.
Cryptography
Compliance checking of TLS configuration
- Mozilla Advisor: Julien Vehent
- difficulty: medium
- language: english or french
Mozilla maintains guidelines for server side configurations of SSL/TLS that we use to guide the deployment of secure channels everywhere. The goal of this project is to build a tool that verifies compliance of a configuration with our guidelines, and help the administrators improve their security. The tool must be able to evaluate the quality of ciphers, detect required features such as OCSP stapling, and evaluate certificates. It is very similar in philosophy to project like SSL Labs and Cipherscan, but mixed with a certificate observatory. The end goal is to help administrators reach a better security level, and measure compliance against Mozilla's policies. The team will be free of reusing existing tools, or build a new one from scratch.
Identity Management
Make Multi-Factor Authentication for OpenVPN a first class citizen
- Mozilla Advisor: Guillaume Destuynder
- difficulty: medium
- language: english, french
- Required skills: C
Mozilla uses OpenVPN with MFA via deferred C plugins and pythons scripts. However, there are several caveats that require non-plugin based modifications, such as One Time Passwords (OTP) client input and session tracking. The goal of this project is to research and provide a first class user experience when using MFA with OpenVPN, and contribute it to the Open Source OpenVPN project.
Risk Management
An online threat modeling tool
- Mozilla Advisor: Curtis Koenig
- difficulty: medium
- language: english
Threat modelling is an important part of designing an application, and a threat model diagram is a very useful way to document the threats that apply to your application. Unfortunately there are a very limited number of threat modelling tools available, and most of those are restricted to specific platforms. This project is to create an online HTML5 application which will allow the user to easily create threat model diagrams online. It should be very easy to use, and allow the diagrams to be exported in the most common image formats. The graphical elements of the Microsoft Threat Modeling tool are a good example of the type of functionality required.
FAQ
- What is meant by "Presentation of the University program" in the application form?
We would like to see what kind of degree your are currently pursuing (e.g. Bachelor of Science in Computer Science or Master of Science in IT Security, ..), as well as a description of the University itself. This is another data point that gives us more information about the applicants' chances to successfully complete a project.
- Can students apply to multiple projects?
Yes. Students can apply to one or more projects. Students cannot apply twice for the same project, even if their team compositions varies.
- What criteria will you use to select the candidates?
The skills and passion of the team members are key points. The size of the team may play in the favor of applicants, but is not a requirement. A single candidate who can show a portfolio of successful projects will have the same chances as larger teams. Commitment from the University is a strong requirement. Students need to demonstrate that their professors support them, and will give them time to work on the projects. The ideal situation is for a team to pick a MWoS project as their final thesis, and work on the project for a full semester. Not all students will be able to do so, and we will evaluate all applications with the same level of scrutiny.
- Can I still work on Mozilla projects if I am not selected for MWoS?
Yes! We continuously have projects that are available for students to grab! Take a look at the Mentorship program, and reach out to us in the #security IRC channel if you are interested.




