Security/Meetings/SecurityAssurance/2014-07-15
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, MTV 217 Star Trek
- Phone (US/Intl): 650 903 0800 x92 Conf: 95217#
- Phone (Toronto): 416 848 3114 x92 Conf: 95217#
- Phone (US): 800 707 2533 (pin 369) Conf: 95217#
Agenda
- [gkw] Demo of fuzzing Firefox OS
- Using marionette (not orangutan) to get more reliable testcases
- Launching random apps
- Even just testing non-debug builds, I'm finding issues where it stops; crashes; stuff in adb logs
- Was hoping to get ideas on how to detect security issues, e.g. seccomp violations
- [jesse] I've only found policy issues through assertions. Assertions rule.
- [gkw] This requires debug builds, which we don't have prebuilt versions of yet, not even on the Flame. Already spoke to :jgriffin on #ateam, need to file a bug / get a dev.b2g discussion going.
- [jesse] I've only found policy issues through assertions. Assertions rule.
- Can we get Valgrind or ASan on Firefox OS?
- Valgrind -- we've done something similar before https://github.com/mozilla-b2g/valgrind
- ASan -- https://code.google.com/p/address-sanitizer/wiki/Android
- ASan has lower overhead, which may be important on these devices :)
- Plus MSan, LSan in the future?
- [gkw] DOM fuzzing on Firefox OS?
- [jesse] I can enable some of the mobile APIs and settings (e.g. font-inflation) on desktop
- [gkw] Let me know if you want help fuzzing the real thing!
- [jesse] I can enable some of the mobile APIs and settings (e.g. font-inflation) on desktop
- Some fuzzing-related tools are starting to appear on our new Github account, https://github.com/MozillaSecurity/
- Some repos here are private
- http://googleonlinesecurity.blogspot.com/2014/07/announcing-project-zero.html is interesting
- Next week: appsec?