Latest revision as of 18:18, 13 October 2015

Winter Of Security 2015

The Winter of Security (MWOS) is Mozilla's program to involve students with Security projects. Students who have to perform a semester project as part of their university curriculum can apply to one of the MWOS project. Projects are guided by a Mozilla Adviser, and a University Professor. Students are graded by their University, based on success criteria identified at the beginning of the project. Mozilla Advisers allocate up to 2 hours each week to their students, typically on video-conference, to discuss progress and roadblocks.

Projects are focused on building security tools, and students are expected to write code which must be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. Mozilla does not influence the way grades are allocated, but advisers will provide any information professors need in order to grade their students.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

Contact us on irc.mozilla.org in the #security channel if you have questions.

Selection process

Projects are assigned to groups of students. Groups are defined by the universities, and can be of any size between 1 and 4 students. The selection process is open to all students in undergraduate/license and graduate/master programs. A group applies to up to 3 projects by submitting an application that contains:

the names of the projects the team is applying to
team introduction and motivation (max 1000 characters)
presentation of the university program (max 500 characters)
short description of each team member (skills, interest, ...) (max 500 character for each team member)
links to relevant resources (university website, resumes, ...)

Click here to access to application form

Timeline

We will be opening the program for applications on July 15th, closing the application process on August 15th, and announcing results on September 1st.

The students and their professor can decide on the timeline, and make sure that it fits well with other classes. Ideally, projects should not take more than 6 months from start to finish. Mozilla advisors will be available weekly on video (Vidyo, Google Hangout or Skype) to discuss progress and roadblocks, and provide help. Professors can set intermediary deadlines if needed, and have complete control over the grading of their students.

Student projects

MIG: Cross-platform log monitoring for threat detection

Mentors: Julien Vehent and Aaron Meihm
Difficulty: hard
Language: english or french

Mozilla InvestiGator (MIG) is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The goal of this project is to add a log monitoring component to the MIG agent to continuously read the logs of a system and trigger alerts on specific patterns (string matching, repeated message within a sliding window, etc...). The log monitoring component must be built in the Go language and must support Linux, MacOS and Windows log analysis. Beyond basic log monitoring, a successful team will be encouraged to evaluate heuristic based threat detection, and how groups of agents can be used together to identify unusual behaviors.

MIG Agent sandboxing

Mozilla Advisor: Guillaume Destuynder and Aaron Meihm
Difficulty: high
Language: english or french

Mozilla InvestiGator (MIG) is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The agent currently runs as root in order to run investigation modules that have low-level access to the system. The goal of this project is to sandbox the MIG Agent on Linux in a way that allows each part to perform investigative work while having as little privileges as possible. The team will have to use the Linux Seccomp mechanism, and the existing Go library, to implement a sandbox in the Agent. If possible, the team will also evaluate sandboxing on MacOS and Windows.

The ideal team will have proven experience in Golang and Linux systems architecture.

Menagerie - a collection of tests and demos for security headers and TLS configurations

Mozilla Advisor: Mark Goodwin and April King
Difficulty: Low
Language: English

There are (or have been) various websites designed to educate and provide examples on good / bad configurations of security headers and TLS configurations (e.g. https://badssl.com/ and https://pinningtest.appspot.com/) - it'd be great to have a collection of such examples in one place. Examples of things to include:

- The stuff that badssl does
- HPKP examples (good and bad - e.g. don't DoS yourself)
- Maybe we can get a preloaded pin - talk to Google perhaps
- CSP examples (good and bad)
- HSTS examples

MozDef Virtual Reality Interface

Mozilla Advisor: Jeff Bryner
Difficulty: medium
Language: English

The Mozilla Defense Platform is an open Security Information Event Management (SIEM) system with a unique 3D representation of threat actors that allows incident responders to perform interactive real-time defensive actions. Lets take it to the virtual world and create a VR interface to visualize threat actors, dig into what events/alerts they have created, categorize them and offer defensive actions against attackers in an immersive experience.

Mixed content scanning with OWASP ZAP

Mozilla Advisor: Simon Bennetts and Julien Vehent
Difficulty: low
Language: English

Mixed content is a major blocker in the adoption of HTTPS Everywhere. The goal of this project is to use OWASP ZAP to scan the internet and identify commonly important resources that do not support HTTPS. The team will then work with Mozilla to help move those resources under HTTPS, and thus fix mixed content issues for large amounts of sites.

Certificate Automation tooling for Let's Encrypt

Mozilla Advisor: J.C. Jones and Richard Barnes
Difficulty: hard
Language: English

Let's Encrypt is a certificate authority that aims to streamline the issuance and management of X.509 Certificates, the authentication mechanism behind Transport Layer Security (TLS). Today, Let's Encrypt provides a tool to manipulate server configuration files to enable TLS. This project would be to write a module or patch for a popular web server such that it natively speaks the ACME protocol for Certificate Management. For example, the team could produce an Apache module (mod_acme) to handle certificate issuance and renewal automatically, with the eventual goal of being included in Apache distributions by default.

FAQ

What is meant by "Presentation of the University program" in the application form?

We would like to see what kind of degree your are currently pursuing (e.g. Bachelor of Science in Computer Science or Master of Science in IT Security, ..), as well as a description of the university itself. This is another data point that gives us more information about the applicants' chances to successfully complete a project.

Can students apply to multiple projects?

Yes. Students can apply to one or more projects. Students cannot apply twice for the same project, even if their team compositions varies.

What criteria will you use to select the candidates?

The skills and passion of the team members are key points. The size of the team may play in the favor of applicants, but is not a requirement. A single candidate who can show a portfolio of successful projects will have the same chances as larger teams. Commitment from the University is a strong requirement. Students need to demonstrate that their professors support them, and will give them time to work on the projects. The ideal situation is for a team to pick a MWoS project as their final thesis, and work on the project for a full semester. Not all students will be able to do so, and we will evaluate all applications with the same level of scrutiny.

Are multiple universities allowed to collaborate and have a single team?

Yes.

Can I still work on Mozilla projects if I am not selected for MWoS?

Yes! We continuously have projects that are available for students to grab! Take a look at the Mentorship program, and reach out to us in the #security IRC channel if you are interested.

Project pages

"showparent=no" has no sub pages.

@@ Line 7: / Line 7: @@
 Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.
-Contact us on [[IRC|irc.mozilla.org]] in the '''#mwos''' channel if you have questions.
+Contact us on [[IRC|irc.mozilla.org]] in the '''#security''' channel if you have questions.
 == Selection process ==
@@ Line 18: / Line 18: @@
 * links to relevant resources (university website, resumes, ...)
-'''UPDATE: Application to the 2015 edition of Mozilla Winter of Security is not open yet.'''
+'''[https://docs.google.com/a/mozilla.com/forms/d/1xI_HySIHTQeAWmyUPmHiEfEe3aIK4NSL9BFFqrOXcxM/viewform Click here to access to application form]'''
 == Timeline ==
@@ Line 35: / Line 35: @@
 [http://mig.mozilla.org Mozilla InvestiGator (MIG)] is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The goal of this project is to add a log monitoring component to the MIG agent to continuously read the logs of a system and trigger alerts on specific patterns (string matching, repeated message within a sliding window, etc...). The log monitoring component must be built in the Go language and must support Linux, MacOS and Windows log analysis. Beyond basic log monitoring, a successful team will be encouraged to evaluate heuristic based threat detection, and how groups of agents can be used together to identify unusual behaviors.
-=== Menagerie -  a collection of tests and demos for security headers and TLS configurations ===
+=== MIG Agent sandboxing ===
+* Mozilla Advisor: [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] and [https://mozillians.org/en-US/u/alm/ Aaron Meihm]
+* Difficulty: high
+* Language: english or french
+[http://mig.mozilla.org Mozilla InvestiGator (MIG)] is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The agent currently runs as root in order to run investigation modules that have low-level access to the system. The goal of this project is to sandbox the MIG Agent on Linux in a way that allows each part to perform investigative work while having as little privileges as possible. The team will have to use the [https://en.wikipedia.org/wiki/Seccomp Linux Seccomp] mechanism, and the existing [https://chromium.googlesource.com/chromiumos/platform/go-seccomp/+/master Go library], to implement a sandbox in the Agent. If possible, the team will also evaluate sandboxing on MacOS and Windows.
+The ideal team will have proven experience in Golang and Linux systems architecture.
+=== Menagerie - a collection of tests and demos for security headers and TLS configurations ===
 * Mozilla Advisor: [https://mozillians.org/en-US/u/mgoodwin/ Mark Goodwin] and [https://mozillians.org/en-US/u/april/ April King]
 * Difficulty: Low
@@ Line 45: / Line 53: @@
 ** CSP examples (good and bad)
 ** HSTS examples
-=== ClearContainers ===
-* Mozilla Advisor: [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder]
-* Difficulty: medium
-* Language: english or french
-Port clear containers for easy AWS deployment, dockerfile support (?):
-** qemu "lite"
-** qboot bios
-** DAX / recent kernel
-Clear containers are light-vms with KVM/vt-x support, and shared memory area for disk io (via DAX)
-See also http://download.clearlinux.org/releases/
 === MozDef Virtual Reality Interface===
@@ Line 65: / Line 62: @@
 === Mixed content scanning with OWASP ZAP===
 * Mozilla Advisor: [https://mozillians.org/en-US/u/psiinon/ Simon Bennetts] and [https://mozillians.org/en-US/u/jvehent/ Julien Vehent]
-* Difficulty: easy
+* Difficulty: low
 * Language: English
 Mixed content is a major blocker in the adoption of HTTPS Everywhere. The goal of this project is to use [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP] to scan the internet and identify commonly important resources that do not support HTTPS. The team will then work with Mozilla to help move those resources under HTTPS, and thus fix mixed content issues for large amounts of sites.
-=== Certificate Automation tooling for Let's Encrypt ===
+=== [https://wiki.mozilla.org/Security/Automation/Winter_Of_Security_2015/Certificate_Automation_tooling_for_Lets_Encrypt Certificate Automation tooling for Let's Encrypt] ===
 * Mozilla Advisor: [https://mozillians.org/en-US/u/jcjones/ J.C. Jones] and [https://mozillians.org/en-US/u/rbarnes/ Richard Barnes]
 * Difficulty: hard
@@ Line 77: / Line 74: @@
 == FAQ ==
-* What is meant by "Presentation of the University program" in the application form?
+=== What is meant by "Presentation of the University program" in the application form? ===
-We would like to see what kind of degree your are currently pursuing (e.g. Bachelor of Science in Computer Science or Master of Science in IT Security, ..), as well as a description of the University itself. This is another data point that gives us more information about the applicants' chances to successfully complete a project.
+We would like to see what kind of degree your are currently pursuing (e.g. Bachelor of Science in Computer Science or Master of Science in IT Security, ..), as well as a description of the university itself. This is another data point that gives us more information about the applicants' chances to successfully complete a project.
+=== Can students apply to multiple projects? ===
-* Can students apply to multiple projects?
 Yes. Students can apply to one or more projects. Students cannot apply twice for the same project, even if their team compositions varies.
-* What criteria will you use to select the candidates?
+=== What criteria will you use to select the candidates? ===
 The skills and passion of the team members are key points. The size of the team may play in the favor of applicants, but is not a requirement. A single candidate who can show a portfolio of successful projects will have the same chances as larger teams.
 Commitment from the University is a strong requirement. Students need to demonstrate that their professors support them, and will give them time to work on the projects. The ideal situation is for a team to pick a MWoS project as their final thesis, and work on the project for a full semester. Not all students will be able to do so, and we will evaluate all applications with the same level of scrutiny.
-* Can I still work on Mozilla projects if I am not selected for MWoS?
+=== Are multiple universities allowed to collaborate and have a single team? ===
+Yes.
+=== Can I still work on Mozilla projects if I am not selected for MWoS? ===
 Yes! We continuously have projects that are available for students to grab! Take a look at the [[Security/Mentorship|Mentorship]] program, and reach out to us in the #security IRC channel if you are interested.
+== Project pages ==
+<splist
+ parent=
+ showparent=no
+ sort=asc
+ sortby=title
+ liststyle=ordered
+ showpath=no
+ kidsonly=no
+/>
 == Media ==

Security/Automation/Winter Of Security 2015: Difference between revisions