archive/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2026-05-01 07:14:51 +02:00
Code Issues Projects Releases Packages Wiki Activity
Page: Workweek security
Pages
Adding a new WebIDL binding Alternative Logo Proposals and Related Swag Asynchronous WebAssembly compilation project Austin Oxidation Autogeneration of style structs Basic SVG support project Beginner's guide to rebasing and squashing Benchmarking Benchmarks Bots Browser Engine Research Build Errors FAQ Buildbot administration Building for Android Building for Magic Leap Building for UWP Building on ARM desktop Linux Building CI Services we use CSS parse error reporting CSSOM student project Canvas rendering project Cargo upgrade service project Code rust concurrency Code Review Code of Conduct Coding standards Compiler upgrade recipes Compositor Layer Design Contributing Control Servo using WebDriver Creating and viewing WARC web archives in Servo Creating new OpenSSL Windows binary distributions Cross compiling from linux to mac Crowbot Css selector matching meeting 2013 07 19 DOM Design DOM documentation DOM missing pieces Debugging JS web compat issues Debugging and editing tools Debugging Design Developer tools student project Devtools CSS errors Devtools plans Devtools Diagnosing SpiderMonkey JIT issues Eric Atkinson visit 2013 09 10 Events and sundry Expand HTTP request response monitoring Fetch improvement project Firefox Reality release notes FirefoxReality build Firewall setup for servo master1 Focus student project Form validation student project GSoC project brainstorming Garbage collected DOM Getting started with layout GitHub Labels Github & Critic PR handling 101 Github workflow Glossary Governance Graphics toolkit integration HTML parser improvement project HTMLElement binding conversion HTTP archive support project HTTP library requirements Hawaii Rooting High priority content for layout Highfive HoloLens 2 test plan Home How to generate GStreamer binaries for CI Image load conformance student project Image maps project Implement HTML charset parsing project Implement ImageBitmap project Implement missing WebAudio automation student project Implement support for missing XMLHttpRequest APIs Implement worker modules Implementing a web standard (RGSoC) Improve specification conformance of unicode bidi library Incremental flow tree construction Infrastructure Integrate xml5ever Intern project brainstorming Intern projects JS objects, wrappers, and cross origin concerns 2013 08 07 Layout 2020 Layout Overview Layout resources Layout revamp ideas Leo meyerovich visit 2013 07 22 Linux sandboxing London Oxidation London Security Meeting 2014 10 27 Meeting 2014 12 08 Meeting 2012 02 08 Meeting 2012 02 16 Meeting 2012 07 20 Meeting 2013 04 01 Meeting 2013 04 15 Meeting 2013 04 22 Meeting 2013 04 29 Meeting 2013 05 06 Meeting 2013 05 13 Meeting 2013 05 20 Meeting 2013 06 03 Meeting 2013 06 10 Meeting 2013 06 14 Meeting 2013 06 17 Meeting 2013 06 24 Meeting 2013 07 01 Meeting 2013 07 15 Meeting 2013 07 22 Meeting 2013 07 29 Meeting 2013 08 05 Meeting 2013 08 12 Meeting 2013 08 19 Meeting 2013 09 09 Meeting 2013 09 16 Meeting 2013 09 23 Meeting 2013 09 30 Meeting 2013 10 14 Meeting 2013 10 21 Meeting 2013 10 28 Meeting 2013 11 04 Meeting 2013 11 18 Meeting 2013 11 25 Meeting 2013 12 02 Meeting 2013 12 09 Meeting 2013 12 16 Meeting 2014 01 06 Meeting 2014 01 13 Meeting 2014 01 21 Meeting 2014 01 27 Meeting 2014 02 03 Meeting 2014 02 10 Meeting 2014 02 24 Meeting 2014 03 10 Meeting 2014 03 17 Meeting 2014 03 24 Meeting 2014 03 31 Meeting 2014 04 07 Meeting 2014 04 14 Meeting 2014 04 21 Meeting 2014 04 28 Meeting 2014 05 05 Meeting 2014 05 13 Meeting 2014 05 19 Meeting 2014 06 09 Meeting 2014 06 17 Meeting 2014 06 23 Meeting 2014 06 30 Meeting 2014 07 07 Meeting 2014 07 14 Meeting 2014 07 21 Meeting 2014 07 29 Meeting 2014 08 04 Meeting 2014 08 11 Meeting 2014 08 12 Meeting 2014 08 18 Meeting 2014 08 25 Meeting 2014 09 08 Meeting 2014 09 15 Meeting 2014 09 22 Meeting 2014 09 29 Meeting 2014 10 06 Meeting 2014 10 13 Meeting 2014 10 20 Meeting 2014 11 10 Meeting 2014 11 17 Meeting 2014 11 24 Meeting 2014 12 15 Meeting 2015 01 05 Meeting 2015 01 12 Meeting 2015 01 26 Meeting 2015 02 09 Meeting 2015 02 23 Meeting 2015 03 02 Meeting 2015 03 16 Meeting 2015 03 30 Meeting 2015 04 06 Meeting 2015 04 13 Meeting 2015 04 27 Meeting 2015 05 04 Meeting 2015 05 11 Meeting 2015 05 18 Meeting 2015 06 01 Meeting 2015 06 08 Meeting 2015 06 15 Meeting 2015 07 06 Meeting 2015 07 13 Meeting 2015 07 27 Meeting 2015 08 10 Meeting 2015 08 17 Meeting 2015 08 24 Meeting 2015 08 31 Meeting 2015 09 14 Meeting 2015 09 21 Meeting 2015 09 28 Meeting 2015 10 05 Meeting 2015 10 12 Meeting 2015 10 19 Meeting 2015 10 26 Meeting 2015 11 02 Meeting 2015 11 09 Meeting 2015 11 16 Meeting 2015 11 30 Meeting 2016 01 04 Meeting 2016 01 11 Meeting 2016 01 25 Meeting 2016 02 01 Meeting 2016 02 08 Meeting 2016 02 22 Meeting 2016 03 07 Meeting 2016 03 21 Meeting Devtools Servo 2 Meetings Microdata project Minutes Hackathon 2012 03 27 Missing DOM features project More ServiceWorker support project More developer tools student project Mozlandia Automation Mozlandia B2S Mozlandia JS Mozlandia Rust In Gecko Mozlandia WPT Mozlandia gfx Mozlando Devtools Servo Mozlando Oxidation Mozlando SM Servo Mozlando Servo Bluetooth Mozlando Servo MagicDOM Mozlando Servo SMStrings Mutation observer project Mutation testing project NCSU student projects Network security project Off main thread HTML parsing project Offscreen canvas improvements project Offscreen canvas project Orlando Oxidation 2018 Oxidation 2015 11 05 Persistent sessions student project Preparing ARM libraries for CI Priority of CSS properties Priority of DOM implementation Priority of dom bindings Private browsing student project Profiling Project proposal deadlines Prototype JS form controls student project Prototype ways of splitting the script crate Publishing a new ANGLE NuGet version Publishing a new app store release Push vs Pull for caching Random web content project Refactor GLES2 student project Refactor bluetooth support student project Remaining work Removing push notifications from IRC hooks Replace C libraries student project Report new contributors project Representation of computed style Research Reviewer Roadmap Running Web Platform Tests on Servo Rust HTML parser Rust SpiderMonkey debugger API Rust cssparser code walk 2013 08 02 SaltStack Administration San Francisco Oxidation Servo Benchmarking Report (December 2024) Servo Benchmarking Report (November 2024) Servo Benchmarking Report (October 2024) Servo Layout Engines Report Servo and SpiderMonkey Report Servo for Gecko Developers Specification Links SpiderMonkey related tasks SpiderMonkey infodump SpiderMonkey upgrade details Storage student project Streaming webassembly student project Strings Student project brainstorm Student projects Styling overview Stylo hacking guide Summer of Code 2014: Implement XMLHttpRequest Summer of Code 2016: Fetch API Summer of Code 2016: File support Summer of Code 2016: ServiceWorker infrastructure Summer of Code projects Summit meeting 2013 09 09 Support WebDriver based tests project Syncing web platform tests (WPT) TaskCluster Testing Tools Tracking intermittent failures over time project Transcription Notes from Servo Architecture talk in Suwon Transcription notes from rust patterns talk in suwon Transcription parallelism Transcription rust concurrency Transcription rust runtime Transription layout and acid2 Trinity College Dublin student projects UPenn student projects Updating the Rust compiler used by Servo Upgrading non taskcluster linux CI machines Upgrading the UWP gstreamer binaries Upgrading the windows LLVM binaries Upgrading wptrunner Using DOM types Using Rust Spidermonkey Prototype Using WebWorker Prototype Version 0.1 Videos and presentations WebAudio JS interfaces student project WebAudio nodes student project WebCompatBug WebSocket student project Webdriver student project Webdriver tests student project Webrender Overview Whistler 2019 notes Whistler Bugzilla Whistler FFOS Whistler GFX Whistler Houdini1 Whistler Houdini2 Whistler Necko Whistler Oxidation 2019 Work items for new contributors Workweek COW DOM Workweek alt js Workweek android arm Workweek boot 2 servo Workweek compiler lints Workweek displaylist Workweek dogfooding Workweek encoding Workweek generated content Workweek governance Workweek graphics stack Workweek graphics toolkit Workweek incremental layout Workweek js bindings status Workweek layers Workweek layers2 Workweek pixels Workweek rasterization Workweek reftests Workweek roadmap Workweek script crate Workweek security Workweek string interning Workweek tables Workweek writing modes XML parser student project infra triage notes jQuery status webxr.today support
1 Workweek security
jdm edited this page 2014-11-11 06:59:33 -08:00
Table of Contents

Servo workweek security

  • kmc: First, want to look at known bad areas. Second, want to talk about what we need to do before we can ship a product. Finally, we want to talk about how we should react to security issues and incent the community to help us.

Security issues

  • kmc: Having a "security wall of fame" has been successful at EventBrite. Even not just for reporting bugs, but for helping analyze various modules of the project. That may turn into a Bug Bounty program later.
  • jack: What does Rust do? Do they have a policy?
  • kmc: I don't know.
  • jack: Our SecCrit issues in Servo are issues in the Rust type system.
  • kmc: You mean, unsoundness that gets triggered in our build.
  • jack: Yes, but we're vulnerable to Rust bugs. So if they don't have anything for tracking these, we should get it on their agenda. Maybe they should have a Bug Bounty for 1.0.
  • jack: For process, since we're not a product, we can probably just use the GitHub issue tracker - bugs don't need to be secret yet. Ones that we might are ones in Rust, and that's their problem.
  • kmc: Or if we found a vuln in a dependency, like SM.
  • cgaebel: What if Servo becomes part of a botnet? Like a HUGE vulnerability.
  • kmc: I do sometimes worry that if I'm working on obscure alpha quality software that people can target me on it.
  • zwarich: They can. And if that's a problem, you probably need to use a VM or otherwise isolate that work. There's a bunch of questions we normally have to answer PLUS what we have to do before we give people an alpha. With WebKit nightlies, Mozilla's nightlies, etc. (though Mozilla Betas have a security process, at least judging by the messages I get when using them?) in those alphas, the point is that the process isn't there. If we use the same standard, we would have no security process other than "try to be on the newest one." I don't think that's a problem, but the question is: is what we want to deliver with Servo really an alpha from other people? Or something that's more like a User Preview?
  • jack: Pre-alpha?
  • zwarich: Are we trying to deliver something to users so they can get a general experience and not be their "main browser" or are we inviting people to participate in active servo development by being a full user, filing bugs, etc. If it's the latter, then people should be using the latest version, but if it's meant to be a product used more long-term, though...
  • jack: For a browser snapshot, it's akin to a Mozilla nightly and not for day to day use. But if we make progress on a UI tookit for Rust with Servo as the engine, we need to worry more.
  • kmc: I think there is no process for FF nightlies, but it's on a basis for assuming things are somewhat secure, and we have NO basis.
  • jack: Should at least have a wiki page. And find out what the Rust team is doing. That's most of what we need for incident reporting. If anything comes up, we'll figure it out.
  • zwarich: Typically, you have a bug tracker with non-public-access for sec vulns. People file in that, you have to tell them what the requested embargo date is (regardless of action we take). In WebKit, you had to coordinate across many organizations, though that's easier for us since we have one delivery vehicle. Then, you find some way of fixing the bug and pull it into a branch. It's what other projects do, and that seems like what we should do. As far as congratulating people for sec vulns, we should treat it as normal in something like TWiS. Shout-outs are welcomed by the people who investigate security vluns.
  • kmc: We will definitely want to have the information out to people about our interest in security.
  • jack: Probably nothing special right now. Maybe Rust is at the stage where that kind of encouragement is needed.
  • zwarich: Around the time 1.0 comes out, people will be interested in whether safe code is safe. Ramping up already - 4 soundness holes in the type system found in the last week.
  • kmc: Those are important & severe from the perspective of Rust.
  • larsberg: Scary because you can't just know where those bugs hit Servo without recompiling and seeing if we get an error.
  • dherman: Naturally many of those soon, but they should disappear over coming months.
  • kmc: So, if we update Rust and get a new error related to a security vuln, we'll have to check and see if that affected a Servo that's out "in the wild." Maybe need to be a bit less mindlessly mechanical about our Rust upgrades.
  • zwarich: I think we don't need to go that deep right now.
  • dherman: Yes, there are gradiations in claims on our security story for Servo. We're not talking about being post-beta in 2015. Most important thing should be adoption, not perfection.
  • kmc: At this stage, I mostly want to describe/catalog our exposures right now. How can we get the community involved in that and get people looking at our code?

Known vulns

  • jack: This is stuff we need to get nailed down on security for a nightly
  • zwarich: Want to not look stupid - FIXMEs, 2 year old dependencies, etc.
  • kmc: Still a few dodgy things we do...

old deps: spidermonkey stb-image -- replace with Rust-image; it is intentionally not designed to be secure no sandboxing yet all c/c++ (harfbuzz, freetype, etc)

Security in first nightlies

  • zwarich: For first vehicle, could consider not persisting anything to the filesystem. Tricky with cookies (on OS10, there's a sandboxing mechanism, many on Linux, but maybe one is standardized now?). Could sandbox super hard.
  • jack: Would we have to ship it in a container on Linux?
  • zwarich: There are sandboxes based on syscall filtering, etc.
  • kmc: Maybe on mobile? locked down android permissions.
  • larsberg: jruderman recommended that we whitelist sites (reddit, wikipedia, imgur, twitter, facebook), upgrade everything to https, and require certs.
  • kmc: Might want people visiting lots of sites to get more feedback on them. Maybe warn if you're off the trusted path.
  • jack: I like simplified cert checking.
  • kmc: It's a big ordeal to get any assurance.
  • zwarich: Also, just disable SSL3.
  • jack: Chrome's gonna do that. I was thinking after that attack, we should just disable all old protocols.
  • dherman: Until we have to worry about web compat for known problematic things that we don't want support for...
  • zwarich: Will people care we use OpenSSL?
  • jack: Chrome is using it.
  • dherman: We should talk with ekr about the politics. It's sensitive, but we're a research project so we may have some more flexibility.
  • jack: AFAIK, we need either OpenSSL or NSS for FIPS certification.
  • kmc: Can ship as a consumer product regardless, so it can be down the line.
  • jack: Doesn't cost us anything to do the mandatory thing now.
  • kmc: Fine for now, but I'd like to think about how we get on a Rust version of TLS.
  • dherman: OK for research, but for a product path, it's a HUGE conversation. But until I'm told that we are going to get shut down for going down a path, I'd like to leave them open to us.

Whitelist, getting people to try stuff out on other sites

  • dherman: Security is one part of this. I haven't been thinking about security implications of a nightly. But it's part of a larger question of the MVP of Servo and being compelling and courting adoption. For there, we want the emotional appeal, value adoption, and synergistic synergy . Competing constraints because on one had, something you can't do anything with seems terrible, but it's also important that we ship a thing that puts its best foot forward. That's all about performance (security, too). We don't want to look like morons with our first releases, but we also don't want to have tested it on a half-dozen sites, and we blow up on the long tail. It might ruin our chance at a first experience.
  • larsberg: Easier to increase what we can see, but can't decrease it.
  • jack: First thing is the wikipedia browser without an address bar. If we have an address bar...
  • dherman: No address bar - dropdown.
  • kmc: Looks like a toy otherwise. We can have a dropdown and ability to put an address bar.
  • zwarich: Depends where we're at. If we are where we're at, we'd have to have a dropdown because we just don't have enough of the web ready yet. Servo cannot render the majority of the sites right now, much less the long tail.
  • jack: First can either be fixed to wikipedia or dropdown. Our goal with that MVP is just tech demo so people don't have to build it themselves. As soon as what we want is feedback on bugs, etc. then we should not restrict it. We already know the problems with CNN, reddit, github, etc.
  • dherman: We should not drive attention until it's an exciting item. You need to not just have it function, but it needs to be awesome.
  • larsberg: My hope would be that it blows other Android browsers out of the water and ship that.
  • dherman: Didn't mean to hijack the security discussion, but I think it intersects.
  • zwarich: Bigger thing with security: are we trying to claim that because of Rust, the browser is secure modulo C/C++ libraries.
  • kmc: People in InfoSec are skeptical of language-based security.
  • dherman: Agreed. We do not want to make that claim at all.
  • kmc: Just say that
  • cgaebel: What guarantees will we give?
  • zwarich: What guarantees does ANYONE give?
  • larsberg: Seriously, handle chemspill/urgent updates. We will not do that.
  • dherman: Yes. We may need such a disclaimer from the security people.
  • kmc: There's nothing for nightlies...
  • dherman: Don't want to be too strong. Rust's language about laundry-eating has hurt us.
  • jack: We can just make it hard to use - no cookies, etc.
  • zwarich: Would we put the claim that we make in our Introduction to Servo talks and put it on the site?
  • jack: We have the breakdown pcwalton is working on (that about 48% of the modern security bugs are potentially handled by Rust).
  • kmc: We are, eventually, going to get pwned and have to deal with a nasty blog post...
  • dherman: zwarich is right that we have to have our technology story nailed down. Security is one small part our technology (which we talk about), but the rest of the stuff about the process, dependencies, etc. is on point. We have to say that we have an architecture that we believe is better for security and that in a final product we will be more secure, but that our current deliverables haven't met those goals. Too long - needs to be shorter. People - especially InfoSec - will use our words against us :-)
  • kmc: Yes, we need to make sure that the words we've previously said are consistent with our product.
  • jack: Our messaging has always been good in Servo.
  • larsberg: We've even just said that we do not have use-after-free / buffer overruns.
  • jack: The Rust message is much stronger than ours.
  • dherman: The Rust message is just about safe code. Not the unsafe subdialect.
  • cgaebel: Vec is unsafe! You can't write safe code that uses it and be sure it's safe!
  • dherman: All languages have unsafe code at some point - it's 1s and 0s deep down. How Rust talks about itself is not how Servo should talk about itself. We don't want to say something that invites attacks and ridicule.
  • pcwalton: Yes, I've always been very careful about interactions with security people, as they love to play GOTCHA if you do not carefully word your statements. I've been careful to say that we don't eliminate the vulns via Rust, just that we will reduce the surface area. I looked at the 515 SECCRIT bugs in FF that are public. Assuming based on what we intend to replace with Rust, Servo would address 48% of bugs via Rust. The rest were mostly JS-related - Chrome privilege escalation, SpiderMonkey, etc.
  • dherman: That's consistent with what we want to say. That our model will reduce the surface area. Since we don't have chemspill, we don't want to start saying that we're more secure than others. Don't want to invite attacks.
  • kmc: Want to invite attacks, but in a constructive way. Invite the attacks and exploits, be supportive of the InfoSec security.
  • cgaebel: Super-rare secure Servo security stickers, given as a surprise before we have a bug bounty program?
  • kmc: Yahoo got in trouble for that.