Security/Meetings/SecurityAssurance/2012-04-24
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Automation team work week last week in SF
- New security review process is great, much improved (especially in speed?) [Yes!]
- But still can be better, some slipped off the radar..
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- [Jesse] How can we make the (hoped) fuzzer release less scary?
- [yvan] Could we find friends in academia who have access to a large computing farm, and share it with them first?
- Would grad students be able to make a research project out of it? "Just running the fuzzers" isn't very researchy.
- They could update it to find more bugs
- This could give us a sense of how many more bugs can be found using the fuzzers, thus making us more comfortable releasing them.
- Would grad students be able to make a research project out of it? "Just running the fuzzers" isn't very researchy.
- [yvan] Could we find friends in academia who have access to a large computing farm, and share it with them first?
Meeting Notes
Security Review Status (curtisk)
- Number of Reviews Completed (so far this quarter): 16
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 6
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2876477;field0-0-0=resolution;resolution=FIXED;query_format=advanced;type0-0-0=changedafter;value0-0-0=2012.03.31;component=Security%20Assurance%3A%20Review%20Needed;product=mozilla.org =10
- Number of Outstanding Reviews: 129
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 55
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2876491;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Needed;product=mozilla.org = 74
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
- first part (windows service) shipped today
B2G (Paul Theriault)
- Reviews underway
- Thoughts? (edit or mail me) https://wiki.mozilla.org/Security/WebAPI/Web_Telephony
- B2G Work Week may 7-11 San Diego
- Still needing to push to get much involvement in reviews- ideas?
Thunderbird (Dan Veditz/Adam Muntner)
- handoff to Adam
- pls let gkw know if any help is needed, gkw has been thunderbird-ing in the mozilla world for as long as he can remember. :)
Rust (Jesse Ruderman)
- I brought up an issue about null characters in strings: https://mail.mozilla.org/pipermail/rust-dev/2012-April/001743.html
- What's the alternative?
- When calling a C API, make a copy of the string where embedded nulls are changed to "replacement character" or "non-canonical null"?
- Use typestate to keep track of which strings might have embedded nulls?
- What's the alternative?
Mobile (David Chan)
Sync (David Chan & Yvan Boily)
Services (David Chan & Yvan Boily)
Social - Pancake (Mark Goodwin)
- Pancake is coming together nicely. Work is progressing on fixes to ES (some unforseen issues on the policy stuff) and Neo4J. Some long standing gripes on encryption between servers are bein addressed. I expect limited public release within the next fortnight.
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- [decoder] IonMonkey bugs have been all retriaged and marked security-sensitive if appropriate
- [decoder] Testing ESR10 now with LangFuzz to prepare for fuzzer release
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Graphics (Jesse Ruderman)
- Now fuzzing canvas - https://bugzilla.mozilla.org/show_bug.cgi?id=379903
- Only one security bug so far - https://bugzilla.mozilla.org/show_bug.cgi?id=746896
Automation Tools (Gary Kwong)
- We had a great work week last week in SF!
- Spoke about our updated security review process
- We still have stuff that dropped off the radar
- [decoder] Talked to jmaher, working together with him to realize ASan builds
Web Developer Tools (Mark Goodwin)
- Work is underway to move the Firebug HTTP Monitor in to Firefox (to complement and, ultimately, replace the net stuff in HUDService) - it's early days yet, but we'd likea secreview session on this (probably within a month)
- read more here http://getfirebug.com/wiki/index.php/HTTP_Monitor
Networking ( Media / Codecs)
- [cdiehl] fuzzing Opus - https://bugzilla.mozilla.org/show_bug.cgi?id=674225
- [cdiehl] improve state model of SPDY fuzzer and update data model to SPDY 3 - https://bugzilla.mozilla.org/show_bug.cgi?id=737470
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Apps in the cloud (David Chan)
- server code has landed
- client code slipped from fx14 to fx15
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
- test day May 3rd
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
No update