Security/B2G/2013 4 29

From MozillaWiki
< Security‎ | B2G
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2013_4_23

News

   [cr] after tu-me review, cr's afraid of it

   [cr] private weekend side project: http://github.com/cr/sequitur

   use it for fun and profit ^- likes

   https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.gaia/0YXCmyVrIFo

   should we be pushing an encryption API

   get proper implementation down in API before devs screw up individually

   lets look at other platforms

   On iOS - put/get OS takes care of storage

   Is profile accessible by non-root

   Unsure, though it looks like a lot of gecko has been made remote

   http://mxr.mozilla.org/mozilla-central/source/dom/ipc/PBrowser.ipdl

   http://mxr.mozilla.org/mozilla-central/source/dom/ipc/PContent.ipdl

Goals for this week?

Please add what you are working on over the next week(s): Current: [pt] WebRTC review [pt] mozContact API review [pt] WebNFC Review [dc] will look at some reviews [fb] bugbounty discussions, at least 1 review item [cr] get involved with mutimarket / metamarket [cr] get marketplace documentation up on mana

Goal Status Updates

FirefoxOS related security reviews (pauljt)

Develop and land tests for security features (dchan)

Tests got r+, fixing some minor bugs then looking to land Still need to file followups

Bug Bounty defined and ready to launch (freddyb)

   no updates. faq at 

   https://docs.google.com/a/mozilla.com/document/d/1jJRk3BevGhG-WXQK9VvvKBpTEt_qspQkTkm1AyFGBpI/edit

Create Firefox OS Security Feature Tracking & Prioritization (pauljt)

https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdGdIbEhuNDNlOUpjcFFVYXNQSjlONXc#gid=0

Compile Firefox OS issue register (pauljt)

Bugs created, please add bugs

Continue to document Firefox OS Security (pauljt)

no update

Document Update schedule & incident response procedure (pauljt)

Reviewed legal around updates

Firefox OS Sandboxing (kang)

   peak & keon have seccomp bpf support now

   discussions w/ agal & jonas to get seccomp bpf a requirement for b2g version x.y (still have to get ahold of agal)

   merge in /security/sandbox this week maybe?

   Policy regarding adding dangerous code to kernel? (memcow)

   Tested KSM, decent savings too (the whole Nuwa project should brings much more savings tho, due to a better process model)

   https://github.com/gdestuynder/releases-mozilla-central/commit/edd4c7d638639a6200703560f885f5c249aee2fb

   https://docs.google.com/a/mozilla.com/document/d/1U-q5Imm9TjDsoEFzByR_ctFV1Z0MIaQuknfy8rvxeMQ

   https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AhL62r-99fkxdHRRZ1pjUTBKeFhHYU5RM2pRcVZSTXc

   IRC: #boxing on irc.mozilla.org (sandboxing)

Malware Defense Strategy (cr)

   [cr] tool for app package analysis prototyped

   might eperiment with sequitur
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/B2G/2013_4_29&oldid=663017"