Security/Reviews/Balrog
Item Reviewed
| Balrog | |
| Target | https://wiki.mozilla.org/Balrog |
{{#set:SecReview name=Balrog |SecReview target=https://wiki.mozilla.org/Balrog }}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
Balrog is rewrite of AUS, which provides application updates to Firefox and other Mozilla products. Its code lives in a github repository.
Firefox client makes request to AUS service with 8-9 paremeters (eg /update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)
What solutions/approaches were considered other than the proposed solution?
The current solution uses a large number of snippet files which are matched against the parameters. If a file is matched then the XML version is returned. There are now a very large number of snippet files which are very difficult to maintain for multiple products when they have integrated parts - it can take 30 mins to publish a new build.
Why was this solution chosen?
Simple and effective.
Any security threats already considered in the design and why?
Files are checked as a validity test rather than a security one. All access to the Admin nodes is via HTTPS with LDAP credentials. The admin actions are logged. Public nodes are as efficient as possible for scalability which also helps protect against DOS.
Threat Brainstorming
A compromised admin account could be used to upload a JSON blob which points to malware. An attacker could intercept the binary request and serve malware on an untrusted network. An attacker could discover a request that consumes a significant amount of processing power on the Public nodes which could enable a DOS attack. {{#set: SecReview feature goal=Balrog is rewrite of AUS, which provides application updates to Firefox and other Mozilla products. Its code lives in a github repository.
Firefox client makes request to AUS service with 8-9 paremeters (eg /update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml) |SecReview alt solutions=The current solution uses a large number of snippet files which are matched against the parameters. If a file is matched then the XML version is returned. There are now a very large number of snippet files which are very difficult to maintain for multiple products when they have integrated parts - it can take 30 mins to publish a new build. |SecReview solution chosen=Simple and effective. |SecReview threats considered=Files are checked as a validity test rather than a security one. All access to the Admin nodes is via HTTPS with LDAP credentials. The admin actions are logged. Public nodes are as efficient as possible for scalability which also helps protect against DOS. |SecReview threat brainstorming=A compromised admin account could be used to upload a JSON blob which points to malware. An attacker could intercept the binary request and serve malware on an untrusted network. An attacker could discover a request that consumes a significant amount of processing power on the Public nodes which could enable a DOS attack. }}
Action Items
| Action Item Status | In Progress |
| Release Target | Q2 goal for live in nightly channel |
| Action Items | |
* bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms
|
|
{{#set:|SecReview action item status=In Progress
|Feature version=Q2 goal for live in nightly channel |SecReview action items=* bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms
- releng :: whitelisting URLs that we point to
- releng :: notifications upon human addition (maybe change too?) of a release
- bhearsum :: db dump w/ instructions on how to use
- psiinon :: pentest admin UI
}} Links:
- https://bugzilla.mozilla.org/show_bug.cgi?id=832462 Balrog SecReview bug
- https://bugzilla.mozilla.org/show_bug.cgi?id=832454 Tracking bug for getting Firefox's "nightly" channel updating through balrog