Security/Meetings/2012-01-11
From MozillaWiki
Contents
Q1 Goals
See last week's meeting notes ( https://wiki.mozilla.org/Security/Meetings/2012-01-04#Goals ). No changes.
Comms (curtisk)
- https://intranet.mozilla.org/User:Curtisk/CommsSchedule
- brownbag: Mozilla Blog Guidelines / Wednesday January 11th Noon PST - 10 Forward
- curtisk will be attending and I encourage all to attend
Blog
| Contributor; | Week Of; | Topic |
|---|---|---|
| curtisk | 9-Jan-2012 | |
| decoder | 23-Jan-2012 | |
| sid | 6-Feb-2012 |
BrownBag
- Jan: -gkw - Fuzzing @ Mozilla 30-Jan 1PM
- Feb- Imelven
- ideas??
Lightning talk
| Contributor; | Month Of; | Topic |
|---|---|---|
| dveditz | Jan | |
| Sid | Feb |
Possible Blog topics
- ideas for curtisk
- cont. evolution of sec review (new wikimedia review form, action item tracking, use of vidyo)
- introduction posts, who we are, what we do, what we hope to accomplish
- decoder
- Blog post about ASan and Clang Static Analysis (coming soon)
- One blog post or two? (I think it should be two posts.)
- I thought about one post with a subject like "New testing methods with Clang" and both subjects don't have that much to write so I thought combining might make sense (one dynamic and one static method with Clang).
- Can we provide "unofficial" ASan builds? (I have a build setup now that creates ASan'ified Firefox builds from m-c). People might be willing to give it a try if they don't have to build with ASan themselves.
- How much of those instructions could you put into a script, which anyone could trust, run on their own machines, and get an up-to-date build?
- Building itself is not the only problem, getting the toolchain is also something that needs work (get Clang, compiler-rt, compile all that, etc).
- How much of those instructions could you put into a script, which anyone could trust, run on their own machines, and get an up-to-date build?
- One blog post or two? (I think it should be two posts.)
- Blog post about ASan and Clang Static Analysis (coming soon)
- ideas for external speakers?
Recently Completed SecReviews
Conferences
- https://wiki.mozilla.org/Security/Conferences
- Better Internet Summit - Tues Jan 17th 6-9pm - Tanvi, Sid Waitlisted
- Fosdem
- CSW - Mar 7-9 Vancouver - No speaker list yet. Interested - Al, Gary, Ian, Tanvi, ?
- RSA - Feb 27-Mar 2 (Sid)
College Recruiting events
- There are 5 schools on the list
- End-Jan, early-Feb, mid-Mar
Workweeks
- webapps @ Domain Hotel in MV (Jan 10 - 12)
- services @ Monterey (Jan 17 - 20)
- In MV on 17 / 20th
- devtools @ London Mar 19-23
- automation tools @ SF April 16-20
Click-to-play plugins update (keeler)
- Try builds: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dkeeler@mozilla.com-18015545af29/
- UX still says it should be left-click to activate (with no menu), and 3 plays of a plugin on a site whitelists that plugin on that site (which is not how I've currently implemented it)
- Security input?
- Uhh left-click to activate means there's no security, pretty much. Who is saying that?
- Also I have to leave at 10:45 today (and all Wednesdays, really)
- Ok - next week. Sounds good.
Rust update (Jesse)
- Rust meetings are Tue at 9.
- Fuzzer resurrected; found another 10 bugs
- Does it make sense to work on a grammar for LangFuzz?
- The existing fuzzer uses a strategy similar to LangFuzz: replace an expr with another expr from the same AST. But modifying the AST directly requires code for each bit of grammar, so currently it only mixes the "expr" and "ty" AST nodes.
- Beware the typechecker; the ever-changing Rust grammar; slow compile times; and the danger of running untrusted unsandboxed code with access to the filesystem.
- You can use "rustc --pretty identified" to have rustc show you the AST. Might be easier than maintaining an external grammar.
- Does it make sense to work on a grammar for LangFuzz?
- Rust 0.1 will be released next week
- Rust work week next month, possibly in Germany
- Are you going to visit us? :D
- Niko's blog is a good way to see some bits of semantics that are up in the air, e.g.
Fuzzing infrastructure
- Al proposes to rack up machines
- gkw has spent most of the past week(& end) refactoring scripts to be more resistant to system freezes and be able to resume from any directory without overwriting or deleting pre-freeze directories
- Now has Windows 7 & Ubuntu Linux running *natively* on some 2011 Mac Minis
- Windows has a majority of our users
- Linux is essential for asan
- Now has Windows 7 & Ubuntu Linux running *natively* on some 2011 Mac Minis
Meeting time change?
- The current 10am time is 5am in Sydney, and will be 3am during Daylight Savings time. Will be very hard to accommodate both Paul and decoder.
- http://www.timeanddate.com/worldclock/meetingtime.html?month=5&day=16&year=2012&p1=137&p2=250&p3=312&p4=240&iv=0
- gkw totally understands timezone issues in Asia
- Ian also has a time conflict with a mobile meeting that is from 9:30-10:30 on Wednesdays. He always has to leave that meeting early
