Security/B2G/Jan 29 2013: Difference between revisions

From MozillaWiki
< Security‎ | B2G
Jump to navigation Jump to search
(Created page with "==FirefoxOS Security Team Meeting== 1pm PST, B2G Vidyo room ===News === * Updates - status of FOTA updates? ** FOTA updates will be delivered by ZTE, not by mozilla ** 12 week ca...")
 
Line 19: Line 19:
=== Goal Status ===
=== Goal Status ===
  # FirefoxOS related security reviews (owner: pauljt)
  # FirefoxOS related security reviews (owner: pauljt)
 
# Document Firefox OS Security (owner: dchan)
# Document Firefox OS Security (owner: dchan)
* Open Web Apps Permission Model
* Open Web Apps Permission Model
** document each permission and what it allows
** document each permission and what it allows
** document what a no permission app can do vs webcontent
** document what a no permission app can do vs webcontent
* Firefox OS Security Architecture
* Firefox OS Security Architecture
    ** Gaia layer (system app, app lifecycle, UI security etc)
** Gaia layer (system app, app lifecycle, UI security etc)
    ** Gecko (app sandboxing, activities, mozbrowser etc)
** Gecko (app sandboxing, activities, mozbrowser etc)
    ** Gonk layer ( process level isolation, file permissions, updates, signing infrastructure etc)
** Gonk layer ( process level isolation, file permissions, updates, signing infrastructure etc)
 
 
# Develop and land tests for security features (owner: dchan)
# Develop and land tests for security features (owner: dchan)
* yvan and dchan met with QA to discuss joint goals for B2g testing
* yvan and dchan met with QA to discuss joint goals for B2g testing
** finish carryover goals first (permissions suite, webapi)
** finish carryover goals first (permissions suite, webapi)
** then work on improving test harness and getting normal desktop tests running
** then work on improving test harness and getting normal desktop tests running
 
 
# Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)
# Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)
  * bug bounty, Firefox OS
* bug bounty, Firefox OS
  * provide material, how to engage?
* provide material, how to engage?
  * hiring a third-party
* hiring a third-party
 
# Drive OS-layer security improvement (owner: kang)
# Drive OS-layer security improvement (owner: kang)
- ASLR waiting for review and/or gonk upgrade
- ASLR waiting for review and/or gonk upgrade
- Seccomp discussions going on to get the kernel source from qualcom. not sure about the new dev phones (http://www.geeksphone.com/)
- Seccomp discussions going on to get the kernel source from qualcom. not sure about the new dev phones (http://www.geeksphone.com/)
 
# Secure app developer/reviewer guidelines/tools (owner: rforbes)
# Secure app developer/reviewer guidelines/tools (owner: rforbes)
* Mentee Stanley Wong working on a tool scan apps for security problems. Tool to be completed by mid-year - mainly focused on app security research atm, and identifying which areas to focus on.
* Mentee Stanley Wong working on a tool scan apps for security problems. Tool to be completed by mid-year - mainly focused on app security research atm, and identifying which areas to focus on.
* Dumped ideas in here: https://etherpad.mozilla.org/SecureWebAppDev
* Dumped ideas in here: https://etherpad.mozilla.org/SecureWebAppDev
 
* Automate XSS fuzzing - mgoodwin to investigate
* Automate XSS fuzzing - mgoodwin to investigate

Revision as of 09:33, 30 January 2013

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room

News

  • Updates - status of FOTA updates?
    • FOTA updates will be delivered by ZTE, not by mozilla
    • 12 week cadence
    • No Mozilla provided update to end-user devices
  • Will dev (geekphone) phones be used internally?
    • No, geeksphone is an initiative run by telefonica, and these wont be used internally

Current/upcoming Reviews

High Priority:

  • Updates - review done, chasing up some action items and outstanding questions (some final changes are happening)
  • Browser API - Pauljt, this week if I can get devs.
  • Tethering - anyone have time to look at this? dchan
  • Gaia: Document a combined review/close these out somehow?
  • Web Activities (including system activities) - document and close out. pauljt

Goal Status

# FirefoxOS related security reviews (owner: pauljt)
  1. Document Firefox OS Security (owner: dchan)
  • Open Web Apps Permission Model
    • document each permission and what it allows
    • document what a no permission app can do vs webcontent
  • Firefox OS Security Architecture
    • Gaia layer (system app, app lifecycle, UI security etc)
    • Gecko (app sandboxing, activities, mozbrowser etc)
    • Gonk layer ( process level isolation, file permissions, updates, signing infrastructure etc)


  1. Develop and land tests for security features (owner: dchan)
  • yvan and dchan met with QA to discuss joint goals for B2g testing
    • finish carryover goals first (permissions suite, webapi)
    • then work on improving test harness and getting normal desktop tests running


  1. Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)
  • bug bounty, Firefox OS
  • provide material, how to engage?
  • hiring a third-party
  1. Drive OS-layer security improvement (owner: kang)

- ASLR waiting for review and/or gonk upgrade - Seccomp discussions going on to get the kernel source from qualcom. not sure about the new dev phones (http://www.geeksphone.com/)

  1. Secure app developer/reviewer guidelines/tools (owner: rforbes)
  • Mentee Stanley Wong working on a tool scan apps for security problems. Tool to be completed by mid-year - mainly focused on app security research atm, and identifying which areas to focus on.
  • Dumped ideas in here: https://etherpad.mozilla.org/SecureWebAppDev
  • Automate XSS fuzzing - mgoodwin to investigate
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/B2G/Jan_29_2013&oldid=508698"