Firefox Security Quarterly Newsletter - Q3 2017

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Firefox Security Quarterly Newsletter - Q3 2017

Paul Theriault
[ See formatted version here: https://wiki.mozilla.org/SecurityEngineering/Newsletter ]

= Firefox Security Team Newsletter Q3 17 =

Firefox Quantum is almost here, and contains several important security improvements. Improved sandboxing, web platform hardening, crypto performance improvements and much more. Read on to find out all the security goodness coming through the Firefox pipeline.

- Sandbox work is seeing great progress. As of 57, Windows, Mac OS X, and Linux all have file system access restricted by the sandbox which is a major milestone reached. Further restrictions are enabled for Windows in Firefox 58.

- Firefox 57 treats now data URLs as unique origins, reducing the risk of Cross-Site Scripting (XSS).

- The Firefox Multi-Account Containers Add-on shipped, allowing users to juggle multiple identities in a single browsing session.

- Increased AES-GCM performance in Firefox 56, and support for Curve25519 in Firefox 57 (the first formally verified cryptographic algorithm in a web browser)

- Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a wider market.

- The privacy WebExtension API can now be used to control the privacy.resistFingerprinting preference and first party isolation



= Team Highlights =


= Security Engineering =
== Crypto Engineering ==
- AES-GCM performance is increased across the board, making large transfers more efficient in Firefox 56.
- Our implementation of Curve25519 in Firefox 57 is the first formally verified cryptographic algorithm in a web browser.
- Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57. This feature is a forerunner to W3C - - Web Authentication, which will bring this anti-phishing technology to a wider market.


== Privacy and Content Security==
- The privacy WebExtension API can now be used to control the privacy.resistFingerprinting preference and first party isolation
- Containers launched as an extension available from AMO
- Containers have had a few improvements for web extensions:
Containers now enabled when installing a contextual identity extension, Events to monitor container changes, Ability to get icon urls for containers along with hex colour codes, Cleaner APIs
- Lightbeam was remade as a web extension.
- Firefox 57 treats data URLs as unique origins  which mitigates the risk of XSS, make Firefox standard-compliant and consistent with the behavior of other browsers.
- Shipped version 4 of the Safe Browsing protocol.

== Firefox and Tor Integration ==
-Continue the Tor patch uplift work focusing on browser fingerprinting resistance
- Landed 12 more anti-fingerprinting patches in 57
- The MinGW build has landed in mozilla-central and is available in treeherder

==Content Isolation==
- Various Windows content process security features enabled over the quarter including disabling of legacy extension points (56), image load policy improvements (57), increased restrictions on job objects (58), and finally we've enabled the alternate desktop feature in Nightly after battling various problems with anti-virus software interfering with child process startup.
- The new 'default deny' read access policy for the Linux file access broker is now enabled by default for content processes and is rolling out in Firefox 57. The broker forwards content process file access requests to the parent process for approval, severely restricting what a compromised content process could do within the local file system.
- Numerous access rules associated with file system, operating system services, and device access have been removed from the OSX content process sandbox. In terms of file system access, we've reached parity with Chrome's renderer. Remaining print server access will be removed in Q4, removal of graphics and audio access is currently in planning.
- We continue to invest in cleaning up various areas of the code that have accumulated technical debt.
 - We’ve completed our research on the scope of enabling the Win32k System Call Disable Policy feature. This feature will isolate content processes from a large class of Win32k kernel APIs commonly used to gain sandbox escape and privilege escalation. Planning for this long term project is currently underway with work expected to commence in Q4.
- As a result of the stability and process startup problems encountered due to 3rd party code injection, a new internal initiative has formed to better address problems associated with unstable software injected into Firefox. This cross-team group will explore and improve policy revolving around outreach and blocking, data collection and research, and improved injection mitigation techniques within Firefox.


= Operations Security =
- addons.mozilla.org and Firefox Screenshots went through external security audits. The reports will be released soon.
- Internal audits of Crash Reports and Phabricator were completed and have found no maximum or high risk issues.
- addons.mozilla.org, Crash Reports, Telemetry,  Pontoon, Push and Tracking Protection backends have been connected to pyup.io to track vulnerabilities in upstream Python dependencies.
- Verification of the signature of installer and update files has been integrated to the product delivery pipeline, to prevent an attacker from feeding an improperly signed file to our download sites.


= Security Assurance =
- Developed new static analysis tool to detect sandbox-related flaws in IPDL endpoints.
- Established mobile security review process to cover projects coming through New Mobile Experience pipeline.
- Identified a number of warnings by building for Windows with gcc, and resolved many of them.

= Cross-Team Initiatives =
Google has become an official Root Store Member of the Common CA Database (CCADB).  


Security Blog Posts & Presentations
https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/
https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/
https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/
https://hacks.mozilla.org/2017/10/remaking-lightbeam-as-a-browser-extension/
https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57/
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Firefox Security Quarterly Newsletter - Q3 2017

Paul Theriault
For anyone who clicked the link and was confused, NOW the wiki has the
latest newsletter. Apologies for that.

https://wiki.mozilla.org/SecurityEngineering/Newsletter


On Thu, Nov 2, 2017 at 9:25 PM, Paul Theriault <[hidden email]>
wrote:

> [ See formatted version here: https://wiki.mozilla.org/
> SecurityEngineering/Newsletter ]
>
> = Firefox Security Team Newsletter Q3 17 =
>
> Firefox Quantum is almost here, and contains several important security
> improvements. Improved sandboxing, web platform hardening, crypto
> performance improvements and much more. Read on to find out all the
> security goodness coming through the Firefox pipeline.
>
> - Sandbox work is seeing great progress. As of 57, Windows, Mac OS X, and
> Linux all have file system access restricted by the sandbox which is a
> major milestone reached. Further restrictions are enabled for Windows in
> Firefox 58.
>
> - Firefox 57 treats now data URLs as unique origins, reducing the risk of
> Cross-Site Scripting (XSS).
>
> - The Firefox Multi-Account Containers Add-on shipped, allowing users to
> juggle multiple identities in a single browsing session.
>
> - Increased AES-GCM performance in Firefox 56, and support for Curve25519
> in Firefox 57 (the first formally verified cryptographic algorithm in a web
> browser)
>
> - Experimental support for anti-phishing FIDO U2F “Security Key” USB
> devices landed behind a preference in Firefox 57. This feature is a
> forerunner to W3C Web Authentication, which will bring this anti-phishing
> technology to a wider market.
>
> - The privacy WebExtension API can now be used to control the
> privacy.resistFingerprinting preference and first party isolation
>
>
>
> = Team Highlights =
>
>
> = Security Engineering =
> == Crypto Engineering ==
> - AES-GCM performance is increased across the board, making large
> transfers more efficient in Firefox 56.
> - Our implementation of Curve25519 in Firefox 57 is the first formally
> verified cryptographic algorithm in a web browser.
> - Experimental support for anti-phishing FIDO U2F “Security Key” USB
> devices landed behind a preference in Firefox 57. This feature is a
> forerunner to W3C - - Web Authentication, which will bring this
> anti-phishing technology to a wider market.
>
>
> == Privacy and Content Security==
> - The privacy WebExtension API can now be used to control the
> privacy.resistFingerprinting preference and first party isolation
> - Containers launched as an extension available from AMO
> - Containers have had a few improvements for web extensions:
> Containers now enabled when installing a contextual identity extension,
> Events to monitor container changes, Ability to get icon urls for
> containers along with hex colour codes, Cleaner APIs
> - Lightbeam was remade as a web extension.
> - Firefox 57 treats data URLs as unique origins  which mitigates the risk
> of XSS, make Firefox standard-compliant and consistent with the behavior of
> other browsers.
> - Shipped version 4 of the Safe Browsing protocol.
>
> == Firefox and Tor Integration ==
> -Continue the Tor patch uplift work focusing on browser fingerprinting
> resistance
> - Landed 12 more anti-fingerprinting patches in 57
> - The MinGW build has landed in mozilla-central and is available in
> treeherder
>
> ==Content Isolation==
> - Various Windows content process security features enabled over the
> quarter including disabling of legacy extension points (56), image load
> policy improvements (57), increased restrictions on job objects (58), and
> finally we've enabled the alternate desktop feature in Nightly after
> battling various problems with anti-virus software interfering with child
> process startup.
> - The new 'default deny' read access policy for the Linux file access
> broker is now enabled by default for content processes and is rolling out
> in Firefox 57. The broker forwards content process file access requests to
> the parent process for approval, severely restricting what a compromised
> content process could do within the local file system.
> - Numerous access rules associated with file system, operating system
> services, and device access have been removed from the OSX content process
> sandbox. In terms of file system access, we've reached parity with Chrome's
> renderer. Remaining print server access will be removed in Q4, removal of
> graphics and audio access is currently in planning.
> - We continue to invest in cleaning up various areas of the code that have
> accumulated technical debt.
>  - We’ve completed our research on the scope of enabling the Win32k System
> Call Disable Policy feature. This feature will isolate content processes
> from a large class of Win32k kernel APIs commonly used to gain sandbox
> escape and privilege escalation. Planning for this long term project is
> currently underway with work expected to commence in Q4.
> - As a result of the stability and process startup problems encountered
> due to 3rd party code injection, a new internal initiative has formed to
> better address problems associated with unstable software injected into
> Firefox. This cross-team group will explore and improve policy revolving
> around outreach and blocking, data collection and research, and improved
> injection mitigation techniques within Firefox.
>
>
> = Operations Security =
> - addons.mozilla.org and Firefox Screenshots went through external
> security audits. The reports will be released soon.
> - Internal audits of Crash Reports and Phabricator were completed and have
> found no maximum or high risk issues.
> - addons.mozilla.org, Crash Reports, Telemetry,  Pontoon, Push and
> Tracking Protection backends have been connected to pyup.io to track
> vulnerabilities in upstream Python dependencies.
> - Verification of the signature of installer and update files has been
> integrated to the product delivery pipeline, to prevent an attacker from
> feeding an improperly signed file to our download sites.
>
>
> = Security Assurance =
> - Developed new static analysis tool to detect sandbox-related flaws in
> IPDL endpoints.
> - Established mobile security review process to cover projects coming
> through New Mobile Experience pipeline.
> - Identified a number of warnings by building for Windows with gcc, and
> resolved many of them.
>
> = Cross-Team Initiatives =
> Google has become an official Root Store Member of the Common CA Database
> (CCADB).
>
>
> Security Blog Posts & Presentations
> https://blog.mozilla.org/firefox/introducing-firefox-
> multi-account-containers/
> https://blog.mozilla.org/security/2017/09/29/improving-
> aes-gcm-performance/
> https://blog.mozilla.org/security/2017/09/13/verified-
> cryptography-firefox-57/
> https://hacks.mozilla.org/2017/10/remaking-lightbeam-as-
> a-browser-extension/
> https://blog.mozilla.org/security/2017/10/04/treating-
> data-urls-unique-origins-firefox-57/
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Firefox Security Quarterly Newsletter - Q3 2017

Kevin Chadwick
In reply to this post by Paul Theriault
On Thu, 2 Nov 2017 03:25:38 -0700 (PDT)


> = Firefox Security Team Newsletter Q3 17 =
>
> Firefox Quantum is almost here, and contains several important
> security improvements.

The following message copied in and following thread might be of
interest to any interested in Firefox Security. The pledge model, makes
a lot of sense.

https://marc.info/?l=openbsd-misc&m=150652348327924&w=2
_____________________________________________________________________________



> Firefox has W^X compliance and so runs with the secure defaults.

it uses page aliasing, which is a shitty way of being compliant

> The latest Firefox (Not ESR as mtier provides) has recently had
> sandboxing for Windows and Linux added and legacy extensions will be
> phased out.
>
> It is therefore likely possible to add pledge patches without
> depending on upstream and so Firefox could become the clear winner.

you really shouldn't be promising that to anyone.  it might not happen,
their design might not allow it.

pledge in giant programs is very rare.  chrome got LUCKY, and there is
no evidence that firefox will also.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security