Re: Firefox Security Team Newsletter Q3 17

2017-11-02 Thread Paul Theriault 
For anyone who clicked the link and was confused, NOW the wiki has the
latest newsletter. Apologies for that.

https://wiki.mozilla.org/SecurityEngineering/Newsletter

On Thu, Nov 2, 2017 at 9:26 PM,  wrote:

> [ See formatted version here: https://wiki.mozilla.org/
> SecurityEngineering/Newsletter ]
>
> = Firefox Security Team Newsletter Q3 17 =
>
> Firefox Quantum is almost here, and contains several important security
> improvements. Improved sandboxing, web platform hardening, crypto
> performance improvements and much more. Read on to find out all the
> security goodness coming through the Firefox pipeline.
>
> - Sandbox work is seeing great progress. As of 57, Windows, Mac OS X, and
> Linux all have file system access restricted by the sandbox which is a
> major milestone reached. Further restrictions are enabled for Windows in
> Firefox 58.
>
> - Firefox 57 treats now data URLs as unique origins, reducing the risk of
> Cross-Site Scripting (XSS).
>
> - The Firefox Multi-Account Containers Add-on shipped, allowing users to
> juggle multiple identities in a single browsing session.
>
> - Increased AES-GCM performance in Firefox 56, and support for Curve25519
> in Firefox 57 (the first formally verified cryptographic algorithm in a web
> browser)
>
> - Experimental support for anti-phishing FIDO U2F “Security Key” USB
> devices landed behind a preference in Firefox 57. This feature is a
> forerunner to W3C Web Authentication, which will bring this anti-phishing
> technology to a wider market.
>
> - The privacy WebExtension API can now be used to control the
> privacy.resistFingerprinting preference and first party isolation
>
>
>
> = Team Highlights =
>
>
> = Security Engineering =
> == Crypto Engineering ==
> - AES-GCM performance is increased across the board, making large
> transfers more efficient in Firefox 56.
> - Our implementation of Curve25519 in Firefox 57 is the first formally
> verified cryptographic algorithm in a web browser.
> - Experimental support for anti-phishing FIDO U2F “Security Key” USB
> devices landed behind a preference in Firefox 57. This feature is a
> forerunner to W3C - - Web Authentication, which will bring this
> anti-phishing technology to a wider market.
>
>
> == Privacy and Content Security==
> - The privacy WebExtension API can now be used to control the
> privacy.resistFingerprinting preference and first party isolation
> - Containers launched as an extension available from AMO
> - Containers have had a few improvements for web extensions:
> Containers now enabled when installing a contextual identity extension,
> Events to monitor container changes, Ability to get icon urls for
> containers along with hex colour codes, Cleaner APIs
> - Lightbeam was remade as a web extension.
> - Firefox 57 treats data URLs as unique origins  which mitigates the risk
> of XSS, make Firefox standard-compliant and consistent with the behavior of
> other browsers.
> - Shipped version 4 of the Safe Browsing protocol.
>
> == Firefox and Tor Integration ==
> -Continue the Tor patch uplift work focusing on browser fingerprinting
> resistance
> - Landed 12 more anti-fingerprinting patches in 57
> - The MinGW build has landed in mozilla-central and is available in
> treeherder
>
> ==Content Isolation==
> - Various Windows content process security features enabled over the
> quarter including disabling of legacy extension points (56), image load
> policy improvements (57), increased restrictions on job objects (58), and
> finally we've enabled the alternate desktop feature in Nightly after
> battling various problems with anti-virus software interfering with child
> process startup.
> - The new 'default deny' read access policy for the Linux file access
> broker is now enabled by default for content processes and is rolling out
> in Firefox 57. The broker forwards content process file access requests to
> the parent process for approval, severely restricting what a compromised
> content process could do within the local file system.
> - Numerous access rules associated with file system, operating system
> services, and device access have been removed from the OSX content process
> sandbox. In terms of file system access, we've reached parity with Chrome's
> renderer. Remaining print server access will be removed in Q4, removal of
> graphics and audio access is currently in planning.
> - We continue to invest in cleaning up various areas of the code that have
> accumulated technical debt.
>  - We’ve completed our research on the scope of enabling the Win32k System
> Call Disable Policy feature. This feature will isolate content processes
> from a large class of Win32k kernel APIs commonly used to gain sandbox
> escape and privilege escalation. Planning for this long term project is
> currently underway with work expected to commence in Q4.
> - As a result of the stability and process startup problems encountered
> due to 3rd party code injection, a new internal initiative has formed to
> bett

Security Principles for coding secure IPC

2017-10-30 Thread Paul Theriault 
With tighter sandbox restrictions hitting release in 57, I thought it might
be a good time to provide some tips on writing IPC in a safe way. Our
sandbox is less effective if we punch holes in it through due to IPC bugs
or overly permissive APIs. This document highlights some of the common
issues we have come across during our work to audit Firefox IPC mechanisms
for sandboxing escapes. These type of bugs aren't very common, but the
anti-patterns that lead to these type of bugs fall into a few categories,
and hopefully this document will help you avoid them.

https://wiki.mozilla.org/Security/Sandbox/IPCguide

NB: these are general guidelines - often its Not That Simple (tm). Help is
at hand - either my team, or the Content Isolation team (Jim Mathies) are
always interested to talk sandboxing.

Big thank you to Julian Hector for writing this, and to the Content
Isolation team and others for their input and review.

Feedback, corrections, suggestions all welcome.

Regards,

Paul Theriault
Firefox Security Assurance
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Firefox Security Team Newsletter Q2 2017

2017-08-08 Thread Paul Theriault 
I posted this to dev-security already, but received suggestions to
bring our newsletter to dev-platform as well. I believe this list is
plaintext, so instead of pasting broken content, I'll encourage you to
read the online version here:
https://wiki.mozilla.org/SecurityEngineering/Newsletter

Or below for a text-only version (but its better with links, I promise!)
Comments, suggestions and feedback all welcome.


= Firefox Security Team Newsletter Q2 17 =

Firefox 55 is out the door, so there’s time now to put together our
quarterly newsletter. In addition to the security changes which hit
release last week, there has been a number of important security
improvements land over the last quarter:
* We’ve made significant improvement of our security sandbox, with
file system restrictions shipping for Windows and macOS on beta
(Firefox 56) and Linux on nightly (Firefox 57)
* Firefox 56 has a significant speedup for the most common
cryptographic algorithm used in secure websites, AES-GCM (an official
Mozilla blog post still to come).
* We have continued the Tor Uplift work and entered the second phase
to implement browser fingerprinting resistance starting from Firefox
55.

Read on for more highlights of the important work the Firefox security
team is doing to keep our users safe online.

= Team Highlights =
== Security Engineering ==
=== Crypto Engineering ===
* Firefox 56 has a significant speedup for the most common
cryptographic algorithm used in secure websites, AES-GCM (an official
Mozilla blog post still to come).
*A regression from e10s where CORS error messages weren’t logged
properly in the console is fixed in Firefox 56.

=== Privacy and Content Security===
- We have continued the Tor Uplift work and entered the second phase
to implement browser fingerprinting resistance starting from Firefox
55.
- Converted hundreds of test cases to obey the origin inheritance
behavior for data: URIs in support of an important spec change. Intent
to ship in Firefox 57.
- Made significant performance improvement on security components in
support of Quantum Flow project.

=== Content Isolation ===*
- Shipping file system user token restriction for Windows content in 56
- Shipping 3rd party legacy extension blocking for Windows content in 56
- Shipping file system read access restrictions for OSX content in 56
- Linux content sandboxing (“level 2”: write restrictions, some
syscalls, probably escapable) released in 54. Work to enable read
restrictions (enabled at time of writing in Nightly 56 targeting 57
rollout) also completed.

== Operations Security ==
- The security audit of Firefox Accounts performed by Cure53 last year
was publicly released.
- We completed the implementation of API Scanning with ZAP, to
automate vulnerability scanning of our services by leveraging OpenAPI
definitions.
- The signing of add-ons has been ported to the Autograph service,
where support for SHA-256 PKCS7 signatures will be added.
- TLS Observatory accelerated the loading of CT logs, with currently
~70M certificates recorded. It should reach 200M in Q3.

== Security Assurance ==
- New team created to focus on Firefox security assurance
- Working on adding security checks to our build tools to help our
developer avoid landing security bugs. First outcome of this project
was landing an ESLint plugin to prevent the unsafe usage of eval,
innerHTML etc. in Firefox.

== Cross-Team Initiatives ==
- The TLS Canary project has seen the feature release 3.1. NSS team is
working on treeherder integration.
- Common CA Database (CCADB) access has been granted to the rest of
the CAs in Microsoft’s root store (those that are also in Mozilla’s
root store already had CA Community licenses/access).

== Security Blog Posts & Presentations =
https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/
(Kathleen)
https://blog.mozilla.org/security/2017/05/11/relaunching-web-bug-bounty-program/
(April from Enterprise Infosec)
https://blog.mozilla.org/security/2017/06/28/analysis-alexa-top-1m-sites/
(April from Enterprise Infosec)
https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/
(Greg from Services Security)
Francois Marier gave a talk on security and privacy settings for
Firefox power users at LinuxFest Northwest.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Hardening the Firefox Sandbox

2016-12-01 Thread Paul Theriault 
Hi all,

Security Engineering has started a project to harden Firefox against attack in 
a post-sandboxed world. It’s early days yet for sandboxing, but conscious of 
the work required, I wanted to raise sandboxing as a topic for discussion, and 
request input towards developing a sandbox security model.

The goal of the hardening project is to make Firefox resilient, even when a 
content process is compromised. Having a restrictive sandbox is not an 
effective security control, if a weak security model or IPC implementation 
flaws lead to privilege escalation. To this end, several efforts are underway:
- Auditing and Testing IPC mechanisms, including:
- Improving fuzzers to focus on IPC bugs (1320851)
-  Auditing IPC mechanisms (IPDL 1041862, MessageManager 1040184)
- Reviewing Firefox components to with respect to sandbox controls

In this latter task, I’ve started documenting the sandbox security model at [1] 
& [2].  [2] is very much a work in progress however. I’ve contacted some groups 
directly, but would appreciate any input here. Please seek me out via email, at 
the all hands (Firefox homeroom) and/or attend the combined session we are 
running with the Platform Integration team on Friday 1pm [3].

Thanks,
Paul


[1] https://wiki.mozilla.org/Security/Sandbox/Process_model 
 
[2] https://wiki.mozilla.org/Security/Sandbox/Hardening 
   WIP, please help!
[3] https://hawaiiallhands2016.sched.org/event/930G/securing-the-sandbox 
 
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Enabling seccomp-bpf for content process on nightly Linux desktop

2016-07-05 Thread Paul Theriault 

> On 6 Jul 2016, at 3:39 AM, Steve Fink  wrote:
> 
> On 07/05/2016 01:33 AM, Julian Hector wrote:
>> If you encounter a crash that may be due to seccomp, please file a bug in
>> bugzilla and block Bug 1280415, we use it to track issues experienced on
>> nightly.
> 
> What would such a crash look like? Do they boil down to some system call 
> returning EPERM?
> 


FYI for others since the reply was off-list: 
---
It is a crash of the content process, and somewhere in the logs you should find 
an entry similar to this:

"Sandbox: seccomp sandbox violation: pid 5154, syscall 355, args 2620711623 0 0 
0 3012860244 3077481872.  Killing process."

You could also check by setting: security.sandbox.content.level = 0 and see if 
the problem still exists.
---
There is also a wiki page with more information from b2g that has some 
information. 
https://wiki.mozilla.org/Security/Sandbox/Seccomp#Use_in_Gecko

We will update to make this Linux specific instead of b2g.

Thanks,
Paul


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform