Security/B2G/2014 04 16

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2014_04_9

Previous Action Items

key security reviews

    identify scope for each of them [everyone] 
    pauljt 

Agenda Items

   lets talk about open() on b2g sandcomp (if arroway is around or others are interested)
   IPC improvements (?)
   binder (?)
   check what chromium's lib really does
   use mprotect blacklisting as last resort (?) <- it adds around 10 BFF rules :/

Google doc for collating scope notes https://docs.google.com/a/mozilla.com/document/d/1yBVqmT15fPKqyaFmHF97KI5jioL4SK-keAt1dDfUNjA/edit

Status Updates

cr

   working with Richard Bloor to integrate review docs in devs sections
   started Firefox Accounts review, approaching mhammond for coordination
   dchan, ulfr on the SA side
   packet capturing for FxOS Ping doc

freddyb

   outreach to dev-platform about the inline-HTML/CSP thing
   Sub Resource Integrity to “First Public Working Draft”
   good feedback, problems on wording. next iteration
   JSHint (linter for gaia)
   result: not useful to improve gaia security
   looked at bug 994337, tried cross origin leaks (failed \o/)
   Next up: Loop review, "tokfox" demo app for fxos

arroway

   Sandboxing: patch to filter calls to open in libgenlock + some blacklisting for mproctect()
   FxOS pings
   proxy \o/
   NFC review
   looked at at bug 963137

omerta

  • away

Pauljt

* HITB is happening
* Updated our wiki, goals feedback from andreas
    https://wiki.mozilla.org/Security/B2G/Goals
* Leadership summit next month
* Work week ? June 8th?
https://etherpad.mozilla.org/fxossecmeetup

Notes

New Action Items

Goal Status Updates

Other stuff