Security/Reviews/Balrog

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Balrog
Target https://wiki.mozilla.org/Balrog Full Query
ID Summary Priority Status
832454 tracking bug for getting Firefox's "nightly" channel updating through balrog -- RESOLVED
832462 SecReview: balrog -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

The given value "https://wiki.mozilla.org/Balrog Full Query
ID Summary Priority Status
832454 tracking bug for getting Firefox's "nightly" channel updating through balrog -- RESOLVED
832462 SecReview: balrog -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Balrog is rewrite of AUS, which provides application updates to Firefox and other Mozilla products. Its code lives in a github repository.

Firefox client makes request to AUS service with 8-9 paremeters (eg /update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)

  • Current system AUS
    • Serves updates to Firefox, Thunderbird, Fennec
    • Firefox client makes request to AUS service with 8-9 paremeters (eg

/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)

      • backend attempts to match a snippet file against parameters
      • if file is found, XML version is returned
    • Lots of snippet files
    • PHP based
  • database backed update server
    • internal LDAP protected server
    • db layer keeps audit logs
  • all backend changes, no changes to client update code
  • minimal ACLs
    • admin app talks to other servers
  • seamonkey may be re-added in the future
  • Target Nightly for now
    • currently takes about 30 min to push a new beta build (with text files)
    • this would decreast to a single API call for a a few seconds to update them all
  • Q2 goal for live in nightly channel

What solutions/approaches were considered other than the proposed solution?

The current solution uses a large number of snippet files which are matched against the parameters. If a file is matched then the XML version is returned. There are now a very large number of snippet files which are very difficult to maintain for multiple products when they have integrated parts - it can take 30 mins to publish a new build.

Why was this solution chosen?

Simple and effective.

Any security threats already considered in the design and why?

Files are checked as a validity test rather than a security one. All access to the Admin nodes is via HTTPS with LDAP credentials. The admin actions are logged. Public nodes are as efficient as possible for scalability which also helps protect against DOS.

Threat Brainstorming

A compromised admin account could be used to upload a JSON blob which points to malware. An attacker could intercept the binary request and serve malware on an untrusted network. An attacker could discover a request that consumes a significant amount of processing power on the Public nodes which could enable a DOS attack.

  • Property "SecReview feature goal" (as page type) with input value "Balrog is rewrite of AUS, which provides application updates to Firefox and other Mozilla products. Its code lives in a github repository.

    Firefox client makes request to AUS service with 8-9 paremeters (eg /update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)

    • Current system AUS
      • Serves updates to Firefox, Thunderbird, Fennec
      • Firefox client makes request to AUS service with 8-9 paremeters (eg

    /update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)

        • backend attempts to match a snippet file against parameters
        • if file is found, XML version is returned
      • Lots of snippet files
      • PHP based
    • database backed update server
      • internal LDAP protected server
      • db layer keeps audit logs
    • all backend changes, no changes to client update code
    • minimal ACLs
      • admin app talks to other servers
    • seamonkey may be re-added in the future
    • Target Nightly for now
      • currently takes about 30 min to push a new beta build (with text files)
      • this would decreast to a single API call for a a few seconds to update them all
    • Q2 goal for live in nightly channel" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview alt solutions" (as page type) with input value "The current solution uses a large number of snippet files which are matched against the parameters.

    If a file is matched then the XML version is returned.

    There are now a very large number of snippet files which are very difficult to maintain for multiple products when they have integrated parts - it can take 30 mins to publish a new build." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threats considered" (as page type) with input value "Files are checked as a validity test rather than a security one.

    All access to the Admin nodes is via HTTPS with LDAP credentials. The admin actions are logged.

    Public nodes are as efficient as possible for scalability which also helps protect against DOS." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threat brainstorming" (as page type) with input value "A compromised admin account could be used to upload a JSON blob which points to malware.

    An attacker could intercept the binary request and serve malware on an untrusted network.

    An attacker could discover a request that consumes a significant amount of processing power on the Public nodes which could enable a DOS attack." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target Q2 goal for live in nightly channel
Action Items
* bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms
  • releng :: whitelisting URLs that we point to
  • releng :: notifications upon human addition (maybe change too?) of a release
  • bhearsum :: db dump w/ instructions on how to use
  • psiinon :: pentest admin UI