QA/Firefox3.6/TestPlan:DLL Blocklisting
< QA
DLL Blocklisting
- Development Status: - In progress (date)
- Feature Testing: - In progress (date)
- Team: - vlad (dev), bsmedberg (dev), tchung (QA), hskupin (QA), juanb
Overview
There have been dangerous DLLs that have found their way into the applications directory and have been causing crashiness. The solution here is to blacklist any dlls that are not expected to run with firefox. Any malware dlls should not load and be displayed in the addon blocklist site.
The second part is to whitelist any accepted components in the applications directory.
Things We Test
List the tests we have where applicable:
- Unit tests
- Follow-up on test results on Tinderboxen
- Manual Tests (RESULTS)
- Blocklist DLL
- Pre-Requisites
- Download and extract the prepared files
- You always have to delete the compreg.dat file from your profile between each test
- Tests for blocking a special version of a DLL
- Extract the Namoroka build
- Copy the files under gdsv4 and the components.list into the components folder
- Start Firefox and check that GoogleDesktopMozilla.dll hasn't been loaded
- Copy the files under gdsv5 into the components folder
- Start Firefox and check that GoogleDesktopMozilla.dll has been loaded
- Tests for blocking all version of a DLL
- Extract the Namoroka build (w/o whitelist)
- Copy the files under gdsv4 into the components folder
- Start Firefox and check that GoogleDesktopMozilla.dll hasn't been loaded
- Copy the files under gdsv5 into the components folder
- Start Firefox and check that GoogleDesktopMozilla.dll hasn't been loaded
- Test with a real extension / software
- Pre-Requisites
- Components directory lockdown
- Pre-Requisites
- Download and extract the prepared files
- You always have to delete the compreg.dat file from your profile between each test
- Check that only white-listed modules are loaded
- Place a library (.dll, .so, .dylib) into the components folder and check with the Process Monitor that th library hasn't been loaded
- Remove 'nsExtensionManager.js' from the components.list and check that Firefox doesn't start anymore
- Check that hard-blocked modules will not be white-listed
- See the "Tests for blocking a special version of a DLL" above
- Check that the DLL is not existent in the profile's compreg.dat
- Check against other software which store modules under the components folder
- We need a list
- Pre-Requisites
- Update Checks
- Add hard blocked modules to Components directory for Fx3.0 and Fx3.5,
- Check that software updates (partial/complete) replace the contents of components.list
- Does not work at the moment due to bug 528623
- Check minor updates from 3.5 -> 3.6
- Check major updates from 3.0 -> 3.6
- Blocklist DLL
- Litmus Tests
- Check basic test, which is part of the browser for testing purposes.
Things We Don't Test
- application software with malware dlls
Environments
- Win XP
- Win Vista (32bit, 64bit)
- Win 7 (32bit, 64bit)
- Mac OSX 10.5
- Mac OSX 10.6
- Linux (32bit, 64bit)
Discussion
- Are there other real world examples of bad .dlls out there? GD4 is one to use, but we'd like to diversify.
Reference
- Tools for tracking loaded modules
- Windows: Process Explorer
- Mac: Activity Monitor
- Linux: lsof | grep %proc_id%
- Tools for tracking loaded js modules
- All platforms: Venkman (Javascript debugger)
- Relevant Bugs
- Fixed bug 524904: Add support for generic DLL blocklist [fixed]
- Fixed bug 519357: Only load known binary components from app directory
- New bug 525103: Generate list of DLLs to Blocklist
- New bug 528457: Always include components.list to partial/complete updates
- Assigned bug 528651: Component registrations not correctly cached leading to re-registering every component on every startup
- Invalid bug 528623: Changes to components.list are not applied (inconsistent caching in profiles compreg.dat)
- Some Examples:
- Note: Are there any sample add-ons or programs that are relevant for testing? Contact jorgev for help in regards to add-ons.