Security/B2G/2013 4 10

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2013_2_20

News

- https://intranet.mozilla.org/Program_Management/Firefox_OS/Release_Version_Status/#FFOS_Version_Map - Sandboxing now a big priority in the project - Secure development guidelines: https://docs.google.com/a/mozilla.com/document/d/1DLs1jhTMxN5fh2PSb_O7FDaSadjjAW-MlK1xCBRWGmM/edit#heading=h.cf5se5o21xjw - CR going to be working with marketplace to help reviewers find these (^^) things - Finalising goals for Q2 - CSP 1.0 is landing, will impact Firefox OS certified apps. Working with gaia team to solve issues. Goals

==

Bigger Plan - 12 month items

  • Drive key security controls (sandboxing, permissions improvments, harden APIs etc)
  • Security Certification/Specification for Firefox OS (define what it means to be a Firefox OS device)
  • Publicly capture security model, details, permission models
  • Outreach efforts on Firefox OS security

Things we always do

  • Platform Security Reviews
  • App Security Reviews (Gaia & partner apps shipped with phone)
  • Design assurance/guidance on new security features

Q2

  • FirefoxOS related security reviews
  • Develop and land tests for security features
  • Bug Bounty defined and ready to launch
  • Drive key security changes
  • Compile Firefox OS issue register
  • Continue to document Firefox OS Security
  • Document update schedule

Q3

Current/upcoming Reviews

Goal Status Updates

1. FirefoxOS related security reviews (owner: pauljt)

2. Document Firefox OS Security (owner: dchan)

No update

3. Develop and land tests for security features (owner: dchan)

Follow status here https://bugzilla.mozilla.org/show_bug.cgi?id=815105 APIs changing in future (null on no permission, undefined for unsupported) https://bugzilla.mozilla.org/show_bug.cgi?id=859554

4.Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)

-- any ctf news? <-- on hold :(

5. Drive OS-layer security improvement (owner: kang)

   got a kernel working on the unagi
   got seccomp on the unagi kernel
   https://people.mozilla.com/~gdestuynder/unagi_seccomp_1.tar.gz.enc
   openssl enc -d aes-256-cbc  -in unagi_seccomp_1.tar.gz.enc
   alula morning table guitar elephant mustard
   getting a keon this week for similar purposes ;-)
   sandbox discussions everywhere!

6. Secure app developer/reviewer guidelines/tools (owner: rforbes)

Other Items

innerHTML