Security/Reviews/FxOSGecko/Template: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "== Overview == === FirefoxOS Review Details === * API: XXXXX API * Review Date: October 2013 * Review Lead: L.E. Taccor === Context === * Why are we doing a review * Has it b...")
 
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 41: Line 41:
* Discuss where permissions are enforced (access to object, on IPC messages, at each function call etc)
* Discuss where permissions are enforced (access to object, on IPC messages, at each function call etc)


"wifi-manage": {
  "wifi-manage": {
190                              app: DENY_ACTION,
  190                              app: DENY_ACTION,
191                              privileged: DENY_ACTION,
  191                              privileged: DENY_ACTION,
192                              certified: ALLOW_ACTION
  192                              certified: ALLOW_ACTION
193                            },
  193                            },


== Review Notes==
== Review Notes==
Line 55: Line 55:


== Security Risks & Mitigating Controls ==
== Security Risks & Mitigating Controls ==
* At a minimum, something like [[/Security/Reviews/B2G/WebNFC#Security_Risks_.26_Mitigating_Controls| Web NFC discussion]]
* Maybe more in-depth if needed e.g.[[/Security/Reviews/Identity/browserid#Threat_Model BrowserID (persona) ]]


== Actions & Recommendations==
* List of recommendations, and corresponding bug numbers
* For sensitive bugs, just put bug number (or omit entirely maybe it is really dangerous & obvious)


== Actions & Recommendations==




[[Category:SecReview]]
[[Category:SecReview]]

Latest revision as of 05:12, 26 September 2014

Overview

FirefoxOS Review Details

  • API: XXXXX API
  • Review Date: October 2013
  • Review Lead: L.E. Taccor

Context

  • Why are we doing a review
  • Has it been reviewed before
  • Any special risks or concerns

Scope

  • What parts of Gaia, Gecko and or Gonk are we looking.

The following system components were reviewed:

  • Gaia

Configuration of Wifi via the settings (and other Apps)

  • Gaia
    • Foo app
    • Web Activities provided by Bar app
  • Gecko
    • mozXXX interface
    • Gecko Permissions
    • Messaging ( messages, system messages)
    • Interface to XYZ service on IPC socket (JSON-based communication protocol)
  • Gonk
    • XYZ Service

The following items were deemed lower risk and not reviewed:

  • Communication between XYZ and hardware
  • etc etc

Components

See Web NFC review for example

Relevant Source Code

Permission Model

  • Paste from Permissions Table.jsm (see below)
  • Discuss anything special like access
  • Discuss where permissions are enforced (access to object, on IPC messages, at each function call etc)
 "wifi-manage": {
 190                              app: DENY_ACTION,
 191                              privileged: DENY_ACTION,
 192                              certified: ALLOW_ACTION
 193                            },

Review Notes

1. Content/Chrome Segregation

2. Process Segregation

3. Data validation & Sanitization

4. Denial of Service

Security Risks & Mitigating Controls

Actions & Recommendations

  • List of recommendations, and corresponding bug numbers
  • For sensitive bugs, just put bug number (or omit entirely maybe it is really dangerous & obvious)
Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/FxOSGecko/Template&oldid=1018506"