On Fri, Nov 27, 2015 at 10:50 AM, Gavin Sharp <[email protected]> wrote:
> On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham <[email protected]> wrote: > > But the thing is, members of our security group are now piling into the > > bug pointing out that trying to find malicious JS code by static code > > review is literally _impossible_ (and perhaps hinting that they'd have > > said so much earlier if someone had asked them). > > No, that's not right. There's an important distinction between > "finding malicious JS code" and "finding _all_ malicious JS code". The > latter is impossible, but the former isn't. > Note that malicious code here might look like this: console.log("success"); It's impossible to tell by looking at the code whether that line prints a success message on the console, or something entirely different, such as running calc.exe. A better framing for the problem is "finding some arbitrary instances of malicious JS code" vs "finding malicious JS code". My point in the bug and in the discussions prior to that was that a static checker can only do the former, and as such, if the goal of the validator is finding malicious code, its effectiveness is bound to be a lint tool at best. > Proving "the validator won't catch everything" isn't particularly > relevant when it isn't intended to, in the overall add-on signing > system design. > The specific problem here is that we allow automatic signing of extensions once they pass the add-on validator checks, and we allow our users to run signed extensions without any other checks. Therefore, the current system is vulnerable to attacks such as what Dan's PoC extension has demonstrated. No matter what the overall system design is and what the intended purpose of the validator is, the concrete issue here is the vulnerability above. I admit that I don't have a great understanding of the goals and design of the add-on signing process (even though I have tried hard to understand it by looking at the public info we've published), but we cannot dismiss this vulnerability because the validator is intended to do something different. Cheers, -- Ehsan _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
