Security/Meetings/SecurityAssurance/2014-07-15

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

Agenda

  • [gkw] Demo of fuzzing Firefox OS
    • Using marionette (not orangutan) to get more reliable testcases
    • Launching random apps
    • Even just testing non-debug builds, I'm finding issues where it stops; crashes; stuff in adb logs
    • Was hoping to get ideas on how to detect security issues, e.g. seccomp violations
      • [jesse] I've only found policy issues through assertions. Assertions rule.
        • [gkw] This requires debug builds, which we don't have prebuilt versions of yet, not even on the Flame. Already spoke to :jgriffin on #ateam, need to file a bug / get a dev.b2g discussion going.
  • Can we get Valgrind or ASan on Firefox OS?
  • [gkw] DOM fuzzing on Firefox OS?
    • [jesse] I can enable some of the mobile APIs and settings (e.g. font-inflation) on desktop
      • [gkw] Let me know if you want help fuzzing the real thing!
  • Some fuzzing-related tools are starting to appear on our new Github account, https://github.com/MozillaSecurity/
    • Some repos here are private
  • http://googleonlinesecurity.blogspot.com/2014/07/announcing-project-zero.html is interesting
  • Next week: appsec?

Team Updates (Silent)

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operations Security