Security/Reviews/Balrog: Difference between revisions

Item Reviewed

{{#set:SecReview name=Balrog |SecReview target=https://wiki.mozilla.org/Balrog }}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Balrog is rewrite of AUS, which provides application updates to Firefox and other Mozilla products. Its code lives in a github repository.

Firefox client makes request to AUS service with 8-9 paremeters (eg /update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)

• Current system AUS
  • Serves updates to Firefox, Thunderbird, Fennec
  • Firefox client makes request to AUS service with 8-9 paremeters (eg

/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)

• • • backend attempts to match a snippet file against parameters
    • if file is found, XML version is returned
  • Lots of snippet files
  • PHP based
• database backed update server
  • internal LDAP protected server
  • db layer keeps audit logs
• all backend changes, no changes to client update code
• minimal ACLs
  • admin app talks to other servers
• seamonkey may be re-added in the future
• Target Nightly for now
  • currently takes about 30 min to push a new beta build (with text files)
  • this would decreast to a single API call for a a few seconds to update them all
• Q2 goal for live in nightly channel

What solutions/approaches were considered other than the proposed solution?

The current solution uses a large number of snippet files which are matched against the parameters. If a file is matched then the XML version is returned. There are now a very large number of snippet files which are very difficult to maintain for multiple products when they have integrated parts - it can take 30 mins to publish a new build.

Why was this solution chosen?

Simple and effective.

Any security threats already considered in the design and why?

Files are checked as a validity test rather than a security one. All access to the Admin nodes is via HTTPS with LDAP credentials. The admin actions are logged. Public nodes are as efficient as possible for scalability which also helps protect against DOS.

Threat Brainstorming

A compromised admin account could be used to upload a JSON blob which points to malware. An attacker could intercept the binary request and serve malware on an untrusted network. An attacker could discover a request that consumes a significant amount of processing power on the Public nodes which could enable a DOS attack. {{#set: SecReview feature goal=Balrog is rewrite of AUS, which provides application updates to Firefox and other Mozilla products. Its code lives in a github repository.

Firefox client makes request to AUS service with 8-9 paremeters (eg /update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)

• Current system AUS
  • Serves updates to Firefox, Thunderbird, Fennec
  • Firefox client makes request to AUS service with 8-9 paremeters (eg

/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)

• • • backend attempts to match a snippet file against parameters
    • if file is found, XML version is returned
  • Lots of snippet files
  • PHP based
• database backed update server
  • internal LDAP protected server
  • db layer keeps audit logs
• all backend changes, no changes to client update code
• minimal ACLs
  • admin app talks to other servers
• seamonkey may be re-added in the future
• Target Nightly for now
  • currently takes about 30 min to push a new beta build (with text files)
  • this would decreast to a single API call for a a few seconds to update them all
• Q2 goal for live in nightly channel

|SecReview alt solutions=The current solution uses a large number of snippet files which are matched against the parameters. If a file is matched then the XML version is returned. There are now a very large number of snippet files which are very difficult to maintain for multiple products when they have integrated parts - it can take 30 mins to publish a new build. |SecReview solution chosen=Simple and effective. |SecReview threats considered=Files are checked as a validity test rather than a security one. All access to the Admin nodes is via HTTPS with LDAP credentials. The admin actions are logged. Public nodes are as efficient as possible for scalability which also helps protect against DOS. |SecReview threat brainstorming=A compromised admin account could be used to upload a JSON blob which points to malware. An attacker could intercept the binary request and serve malware on an untrusted network. An attacker could discover a request that consumes a significant amount of processing power on the Public nodes which could enable a DOS attack. }}

Action Items

{{#set:|SecReview action item status=In Progress

|Feature version=Q2 goal for live in nightly channel |SecReview action items=* bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms

• releng :: whitelisting URLs that we point to
• releng :: notifications upon human addition (maybe change too?) of a release
• bhearsum :: db dump w/ instructions on how to use
• psiinon :: pentest admin UI

}} Links:

• https://bugzilla.mozilla.org/show_bug.cgi?id=832462 Balrog SecReview bug
• https://bugzilla.mozilla.org/show_bug.cgi?id=832454 Tracking bug for getting Firefox's "nightly" channel updating through balrog