Security/B2G/2014 04 16
From MozillaWiki
Contents
FirefoxOS Security Team Meeting
1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2014_04_9
Previous Action Items
key security reviews
identify scope for each of them [everyone]
pauljt
Agenda Items
lets talk about open() on b2g sandcomp (if arroway is around or others are interested)
IPC improvements (?)
binder (?)
check what chromium's lib really does
use mprotect blacklisting as last resort (?) <- it adds around 10 BFF rules :/
Google doc for collating scope notes https://docs.google.com/a/mozilla.com/document/d/1yBVqmT15fPKqyaFmHF97KI5jioL4SK-keAt1dDfUNjA/edit
Status Updates
cr
working with Richard Bloor to integrate review docs in devs sections
started Firefox Accounts review, approaching mhammond for coordination
dchan, ulfr on the SA side
packet capturing for FxOS Ping doc
freddyb
outreach to dev-platform about the inline-HTML/CSP thing
Sub Resource Integrity to “First Public Working Draft”
good feedback, problems on wording. next iteration
JSHint (linter for gaia)
result: not useful to improve gaia security
looked at bug 994337, tried cross origin leaks (failed \o/)
Next up: Loop review, "tokfox" demo app for fxos
arroway
Sandboxing: patch to filter calls to open in libgenlock + some blacklisting for mproctect()
FxOS pings
proxy \o/
NFC review
looked at at bug 963137
omerta
- away
Pauljt
* HITB is happening * Updated our wiki, goals feedback from andreas https://wiki.mozilla.org/Security/B2G/Goals * Leadership summit next month * Work week ? June 8th? https://etherpad.mozilla.org/fxossecmeetup