Security/B2G/2013 4 29
From MozillaWiki
Contents
- 1 FirefoxOS Security Team Meeting
- 1.1 News
- 1.2 Goals for this week?
- 1.3 Goal Status Updates
- 1.3.1 FirefoxOS related security reviews (pauljt)
- 1.3.2 Develop and land tests for security features (dchan)
- 1.3.3 Bug Bounty defined and ready to launch (freddyb)
- 1.3.4 Create Firefox OS Security Feature Tracking & Prioritization (pauljt)
- 1.3.5 Compile Firefox OS issue register (pauljt)
- 1.3.6 Continue to document Firefox OS Security (pauljt)
- 1.3.7 Document Update schedule & incident response procedure (pauljt)
- 1.3.8 Firefox OS Sandboxing (kang)
- 1.3.9 Malware Defense Strategy (cr)
FirefoxOS Security Team Meeting
1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2013_4_23
News
[cr] after tu-me review, cr's afraid of it
[cr] private weekend side project: http://github.com/cr/sequitur
use it for fun and profit ^- likes
https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.gaia/0YXCmyVrIFo
should we be pushing an encryption API
get proper implementation down in API before devs screw up individually
lets look at other platforms
On iOS - put/get OS takes care of storage
Is profile accessible by non-root
Unsure, though it looks like a lot of gecko has been made remote
http://mxr.mozilla.org/mozilla-central/source/dom/ipc/PBrowser.ipdl
http://mxr.mozilla.org/mozilla-central/source/dom/ipc/PContent.ipdl
Goals for this week?
Please add what you are working on over the next week(s): Current: [pt] WebRTC review [pt] mozContact API review [pt] WebNFC Review [dc] will look at some reviews [fb] bugbounty discussions, at least 1 review item [cr] get involved with mutimarket / metamarket [cr] get marketplace documentation up on mana
Goal Status Updates
- Q2 Review target: https://wiki.mozilla.org/Security/B2G/Reviews
- SMS app done
Develop and land tests for security features (dchan)
Tests got r+, fixing some minor bugs then looking to land Still need to file followups
Bug Bounty defined and ready to launch (freddyb)
no updates. faq at
https://docs.google.com/a/mozilla.com/document/d/1jJRk3BevGhG-WXQK9VvvKBpTEt_qspQkTkm1AyFGBpI/edit
Create Firefox OS Security Feature Tracking & Prioritization (pauljt)
Compile Firefox OS issue register (pauljt)
Bugs created, please add bugs
Continue to document Firefox OS Security (pauljt)
no update
Document Update schedule & incident response procedure (pauljt)
Reviewed legal around updates
Firefox OS Sandboxing (kang)
peak & keon have seccomp bpf support now
discussions w/ agal & jonas to get seccomp bpf a requirement for b2g version x.y (still have to get ahold of agal)
merge in /security/sandbox this week maybe?
Policy regarding adding dangerous code to kernel? (memcow)
Tested KSM, decent savings too (the whole Nuwa project should brings much more savings tho, due to a better process model)
https://github.com/gdestuynder/releases-mozilla-central/commit/edd4c7d638639a6200703560f885f5c249aee2fb
https://docs.google.com/a/mozilla.com/document/d/1U-q5Imm9TjDsoEFzByR_ctFV1Z0MIaQuknfy8rvxeMQ
https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AhL62r-99fkxdHRRZ1pjUTBKeFhHYU5RM2pRcVZSTXc
IRC: #boxing on irc.mozilla.org (sandboxing)
Malware Defense Strategy (cr)
[cr] tool for app package analysis prototyped
might eperiment with sequitur