Security/B2G/2013 4 29

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2013_4_23

News

   [cr] after tu-me review, cr's afraid of it
   [cr] private weekend side project: http://github.com/cr/sequitur
   use it for fun and profit ^- likes
   https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.gaia/0YXCmyVrIFo
   should we be pushing an encryption API
   get proper implementation down in API before devs screw up individually
   lets look at other platforms
   On iOS - put/get OS takes care of storage
   Is profile accessible by non-root
   Unsure, though it looks like a lot of gecko has been made remote
   http://mxr.mozilla.org/mozilla-central/source/dom/ipc/PBrowser.ipdl
   http://mxr.mozilla.org/mozilla-central/source/dom/ipc/PContent.ipdl

Goals for this week?

Please add what you are working on over the next week(s): Current: [pt] WebRTC review [pt] mozContact API review [pt] WebNFC Review [dc] will look at some reviews [fb] bugbounty discussions, at least 1 review item [cr] get involved with mutimarket / metamarket [cr] get marketplace documentation up on mana

Goal Status Updates

FirefoxOS related security reviews (pauljt)

Develop and land tests for security features (dchan)

Tests got r+, fixing some minor bugs then looking to land Still need to file followups

Bug Bounty defined and ready to launch (freddyb)

   no updates. faq at 
   https://docs.google.com/a/mozilla.com/document/d/1jJRk3BevGhG-WXQK9VvvKBpTEt_qspQkTkm1AyFGBpI/edit

Create Firefox OS Security Feature Tracking & Prioritization (pauljt)

https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdGdIbEhuNDNlOUpjcFFVYXNQSjlONXc#gid=0

Compile Firefox OS issue register (pauljt)

Bugs created, please add bugs

Continue to document Firefox OS Security (pauljt)

no update

Document Update schedule & incident response procedure (pauljt)

Reviewed legal around updates

Firefox OS Sandboxing (kang)

   peak & keon have seccomp bpf support now
   discussions w/ agal & jonas to get seccomp bpf a requirement for b2g version x.y (still have to get ahold of agal)
   merge in /security/sandbox this week maybe?
   Policy regarding adding dangerous code to kernel? (memcow)
   Tested KSM, decent savings too (the whole Nuwa project should brings much more savings tho, due to a better process model)
   https://github.com/gdestuynder/releases-mozilla-central/commit/edd4c7d638639a6200703560f885f5c249aee2fb
   https://docs.google.com/a/mozilla.com/document/d/1U-q5Imm9TjDsoEFzByR_ctFV1Z0MIaQuknfy8rvxeMQ
   https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AhL62r-99fkxdHRRZ1pjUTBKeFhHYU5RM2pRcVZSTXc
   IRC: #boxing on irc.mozilla.org (sandboxing)

Malware Defense Strategy (cr)

   [cr] tool for app package analysis prototyped
   might eperiment with sequitur