Security/Meetings/SecurityAssurance/2012-03-13: Difference between revisions
< Security | Meetings | SecurityAssurance
Jump to navigation
Jump to search
(Created page with "<!-- Maybe don't screw with these links unless you've read this blog post: http://blog.johnath.com/2011/01/20/automatic-date-links-in-mediawiki/ Just copy them to new pages and i...") |
(→Agenda) |
||
Line 10: | Line 10: | ||
=Agenda= | =Agenda= | ||
* Goals - 2 weeks left | |||
* Q2 Goals | |||
* Team | |||
* Bugzilla Security Mail - https://wiki.mozilla.org/Security/Security_Bugs/EncryptedBugmail | |||
* Pwn2Own Update | |||
* Status updates (cutisk) | |||
** https://wiki.mozilla.org/Security/Radar#Action_Items_from_Security_Review_Meetings (database error? it's a feature) | |||
** https://wiki.mozilla.org/Security/Radar#Individually_Assigned_Reviews_.2F_tasks | |||
* Static Analysis | |||
** https://security.etherpad.mozilla.org/Static-Analyzers (add stuff to it) | |||
* Tag Merger update (curtisk) | |||
* SecReview form update | |||
= Second half = | |||
* [decoder] ASan as a nightly and/or for hardened environments | |||
* B2G permissions model (dchan, want to chat?) | |||
=Project Updates Below= | |||
==B2G== | |||
** Discussions on the Permissions Model ongoing | |||
** Developer Phone release 4/1/12 [https://wiki.mozilla.org/B2G/Schedule_Roadmap] | |||
** Q1 Goals - complete review for developer phone | |||
*** Dependant on B2G hitting this milestone (currently 5/40 features are "done".) | |||
*** https://wiki.mozilla.org/B2G/Schedule_Roadmap | |||
** Q2 Goals - product phone aiming for release by end of Q2 so: | |||
*** Complete all necessary security reviews | |||
*** Complete documentation of B2G security architecture (is this something we are responsible for? I guess not, but I think we want to be involved) | |||
*** Develop B2G fuzzing platform? | |||
==Automation Tools== | |||
** Debate on whether Marionette should land on Gecko between devs and code reviewers in {{bug|712643}}. | |||
==Fuzzing== | |||
** [gkw, decoder] m-c, IonMonkey fuzzing continuously underway | |||
*** decoder has a lot of asserts, gkw a lot of hard-to-reproduce-by-IM-devs GC bugs, Jesse a lot of general bugs | |||
** [decoder] Continue mobile fuzzing goal from Q1 | |||
*** In Q2: Deploy fuzzers compatible with ADBFuzz developed in Q1 (e.g. jsfunfuzz, domfuzz) | |||
**** Involves getting necessary hardware and process in place | |||
** In Q2: Move fuzzers to Releng hardware. jsfunfuzz harness migration underway. | |||
*** Non-mobile hardware already in-place. | |||
*** [gkw] Needed if we are to release funfuzz in April | |||
**** why? | |||
**** I wouldn't want to release old code from literally years ago only to overhaul them as they get released. Makes documentation easier (documenting the new code) as well. | |||
** I'd like if releng committed to fixing https://bugzilla.mozilla.org/show_bug.cgi?id=628573 ;) | |||
*** They rank it P3. | |||
** [gkw] Several Valgrind blockers for Mac OS X Snow Leopard & Lion fixed by sewardj | |||
** [jesse] tweaking jsfunfuzz to find bugs like our pwn2own bug https://bugzilla.mozilla.org/show_bug.cgi?id=720079 | |||
==ASan== | |||
* http://blog.mozilla.com/decoder/2012/01/27/trying-new-code-analysis-techniques/ | |||
* Q2 goal related to ASan (???) | |||
** Builds from Releng | |||
** Get regular testing of Firefox setup | |||
** Integrate with our crash reporting so we can receive ASan crash reports once we decide to have more people testing ASan builds (e.g. a special nightly). | |||
* ASan builds as a "hardened Firefox" for paranoid users? |
Revision as of 21:43, 13 March 2012
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Goals - 2 weeks left
- Q2 Goals
- Team
- Bugzilla Security Mail - https://wiki.mozilla.org/Security/Security_Bugs/EncryptedBugmail
- Pwn2Own Update
- Status updates (cutisk)
- Static Analysis
- https://security.etherpad.mozilla.org/Static-Analyzers (add stuff to it)
- Tag Merger update (curtisk)
- SecReview form update
Second half
- [decoder] ASan as a nightly and/or for hardened environments
- B2G permissions model (dchan, want to chat?)
Project Updates Below
B2G
- Discussions on the Permissions Model ongoing
- Developer Phone release 4/1/12 [1]
- Q1 Goals - complete review for developer phone
- Dependant on B2G hitting this milestone (currently 5/40 features are "done".)
- https://wiki.mozilla.org/B2G/Schedule_Roadmap
- Q2 Goals - product phone aiming for release by end of Q2 so:
- Complete all necessary security reviews
- Complete documentation of B2G security architecture (is this something we are responsible for? I guess not, but I think we want to be involved)
- Develop B2G fuzzing platform?
Automation Tools
- Debate on whether Marionette should land on Gecko between devs and code reviewers in bug 712643.
Fuzzing
- [gkw, decoder] m-c, IonMonkey fuzzing continuously underway
- decoder has a lot of asserts, gkw a lot of hard-to-reproduce-by-IM-devs GC bugs, Jesse a lot of general bugs
- [decoder] Continue mobile fuzzing goal from Q1
- In Q2: Deploy fuzzers compatible with ADBFuzz developed in Q1 (e.g. jsfunfuzz, domfuzz)
- Involves getting necessary hardware and process in place
- In Q2: Deploy fuzzers compatible with ADBFuzz developed in Q1 (e.g. jsfunfuzz, domfuzz)
- In Q2: Move fuzzers to Releng hardware. jsfunfuzz harness migration underway.
- Non-mobile hardware already in-place.
- [gkw] Needed if we are to release funfuzz in April
- why?
- I wouldn't want to release old code from literally years ago only to overhaul them as they get released. Makes documentation easier (documenting the new code) as well.
- I'd like if releng committed to fixing https://bugzilla.mozilla.org/show_bug.cgi?id=628573 ;)
- They rank it P3.
- [gkw] Several Valgrind blockers for Mac OS X Snow Leopard & Lion fixed by sewardj
- [jesse] tweaking jsfunfuzz to find bugs like our pwn2own bug https://bugzilla.mozilla.org/show_bug.cgi?id=720079
- [gkw, decoder] m-c, IonMonkey fuzzing continuously underway
ASan
- http://blog.mozilla.com/decoder/2012/01/27/trying-new-code-analysis-techniques/
- Q2 goal related to ASan (???)
- Builds from Releng
- Get regular testing of Firefox setup
- Integrate with our crash reporting so we can receive ASan crash reports once we decide to have more people testing ASan builds (e.g. a special nightly).
- ASan builds as a "hardened Firefox" for paranoid users?