Security/Meetings/2011-12-21
From MozillaWiki
Contents
Clang Static Analysis (decoder)
- Gregory Szorc (:gps) did some great work in figuring out the required steps for applying the analysis to mozilla-central
- Results are at http://people.mozilla.org/~gszorc/clang/2011-12-15-13/
- If you want to help digging through the results and filing bugs for code reviews and possible code adjustments, ping me.
Address Sanitizer Builds (decoder)
- If you want to try Firefox+ASan in an optimized build, I made some builds for Linux, available at http://langfuzz2.mv.mozilla.com/20111218-5c8405e6226e/
- You almost don't notice it's slower.
Brandon's Departure
- Frowny face
Goals
Q4: https://intranet.mozilla.org/2011Q4Goals#Security Q1:
- Develop prototype for automation and scalability of ARM and mobile fuzzing
- Some of our machines under upgrading
- Certain releng machines are only running DOM fuzzer now, should get jsfunfuzz / LangFuzz running too
- What needs testing on mobile?
- https://etherpad.mozilla.org/mobile-security-testing is my list. Brandon said he has a "master plan", but I don't know anything about it yet.
- Mobile UI fuzzer idea is floating in the air, gkw is embedding into ateam meetings to find out how this might turn out
- I [decoder] can probably give hints about the crash triage automation etc. on Android because LangFuzz has that builtin already.
- ateam might have some APIs we can use
- I [decoder] can probably give hints about the crash triage automation etc. on Android because LangFuzz has that builtin already.
- sync auth
- Get stats on features we want to end-of-life (enablePrivilege, etc)
- commoncrawl.org might help, for public web anyway (enablePrivilege tends to be used on intranets, not public)
- It could be replaced by an addon
- commoncrawl.org might help, for public web anyway (enablePrivilege tends to be used on intranets, not public)
- Security Questionnaire
- Proof of concept implementation
- Evaluation with previous security review participants
- Overall improvements and decision if this is helpful and should be adopted into the process, or not
- Plugin experience - drive update, click to play
Goal Priorities
- Desktop
- Fennec
- B2G
- Webapps
- Identity
Random
- security IAMA on reddit http://www.reddit.com/r/IAmA/comments/nldoj/iama_member_of_the_mozilla_security_team_ama/