[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor-browser-spec/master] Add new and old Firefox code audit notes.



commit e4601b80e9215bbc2e7d449e4d5e7890f6b7246a
Author: Mike Perry <mikeperry-git@xxxxxxxxxx>
Date:   Thu Feb 7 14:55:18 2013 -0800

    Add new and old Firefox code audit notes.
---
 docs/audits/FF17_FEATURE_AUDIT |   19 ++++
 docs/audits/FF17_NETWORK_AUDIT |   84 +++++++++++++++++
 docs/audits/FF3.5_AUDIT        |  195 ++++++++++++++++++++++++++++++++++++++++
 docs/audits/FF4_AUDIT          |   50 +++++++++++
 4 files changed, 348 insertions(+)

diff --git a/docs/audits/FF17_FEATURE_AUDIT b/docs/audits/FF17_FEATURE_AUDIT
new file mode 100644
index 0000000..b135c0a
--- /dev/null
+++ b/docs/audits/FF17_FEATURE_AUDIT
@@ -0,0 +1,19 @@
+- Can calc() accept device-width/height?
+  - No. Numbers only.
+  - Can viewport/meta viewport accept them?
+    - nsContentUtils::GetViewportInfo() might be the only place..
+    - nsContentUtils::ProcessViewportInfo()
+    - Viewport seems unused on all but mobile
+    - Maybe worth testing..
+
+- currentColor: OK
+- scrollMax: OK
+- IdleAPI: FirefoxOS only, but still present w/ pref??
+  - Throws "The operation is insecure" exception
+  - Disabled for content. WebApp only.
+
+- Web Activities
+  - Seems unfinished and unexported to content
+
+- RegisterContent/ProtocolHandler -> Third party supercookie??
+  - asks for confirmation
diff --git a/docs/audits/FF17_NETWORK_AUDIT b/docs/audits/FF17_NETWORK_AUDIT
new file mode 100644
index 0000000..8ec25ba
--- /dev/null
+++ b/docs/audits/FF17_NETWORK_AUDIT
@@ -0,0 +1,84 @@
+
+Lowest level resolver calls:
+ - PR_GetHostByName
+   + ./profile/dirserviceprovider/src/nsProfileLock.cpp
+     + nsProfileLock::LockWithSymlink
+   + ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+     - pkix_pl_Socket_CreateByHostAndPort()
+     - pkix_pl_Socket_CreateByName()
+   - ./security/nss/lib/certhigh/ocsp.c
+     - ocsp_ConnectToHost()
+   + ./security/nss/cmd/libpkix/pkix_pl/module/test_socket.c
+   + ./security/nss/cmd/vfyserv/vfyserv.c
+   - ./media/webrtc/trunk/src/modules/udp_transport/source/udp_transport_impl.cc (!!!)
+     --disable-webrtc!!!
+ + PR_GetAddrInfoByName
+   + ./security/nss/cmd/ssltap/ssltap.c
+   + ./security/nss/cmd/tstclnt/tstclnt.c
+   + ./security/nss/cmd/strsclnt/strsclnt.c
+
+Direct paths to DNS resolution:
+ + nsDNSService::Resolve
+ + nsDNSService::AsyncResolve
+ + nsHostResolver::ResolveHost
+
+Misc UDP (SOCK_DGRAM, PR_DESC_SOCKET_UDP):
+ + ./nsprpub/pr/src/io/prsocket.c
+   + PR_NewUDPSocket
+   + PR_OpenUDPSocket
+   + PR_Socket
+ + ./nsprpub/pr/src/pthreads/ptio.c
+ + ./netwerk/socket/nsUDPSocketProvider.cpp
+
+Misc TCP (SOCK_STREAM, PR_DESC_SOCKET_TCP):
+ + ./nsprpub/pr/src/pthreads/ptio.c
+ - ./nsprpub/pr/src/io/prsocket.c
+   - PR_NewTCPSocket
+   - PR_Socket
+   - PR_OpenTCPSocket
+ + ./nsprpub/pr/src/misc/prnetdb.c
+ + TCPSocket:
+   + ./security/manager/ssl/src/nsNSSIOLayer.cpp
+     + nsSSLIOLayerNewSocket()
+   + ./security/nss/lib/certhigh/ocsp.c
+     + ocsp_SendEncodedRequest
+   + ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+     + pkix_pl_Socket_CreateClient
+     + pkix_pl_Socket_CreateServer
+
+Misc PR_Socket:
+ + ./nsprpub/pr/src/cplus/rcnetio.cpp
+   + RCNetStreamIO::RCNetStreamIO
+
+Misc XPCOM:
+ - *SocketProvider
+   + newSocket
+     + ./netwerk/base/src/nsSocketTransport2.cpp:
+   + addToSocket
+ + @mozilla.org/network/socket:
+   + createTransport()
+     + ./netwerk/protocol/http/nsHttpConnectionMgr.cpp
+     + ./netwerk/protocol/ftp/nsFtpConnectionThread.cpp:
+     + ./netwerk/protocol/ftp/nsFtpControlConnection.cpp:
+   + ./dom/network/src/TCPSocket.js
+     + open()
+
+Android may have DNS leaks..
+ - ./mobile/android/base/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java 
+
+nsDNSService/nsPIDNSService/nsIDNSService
+ + calls nsHostResolver::ResolveHost
+ + used by:
+   + DNS prefetch (disabled)
+   + ./netwerk/base/src/nsIOService.cpp (offline mode only)
+   + ./netwerk/build/nsNetModule.cpp
+   + ./netwerk/protocol/websocket/WebSocketChannel.cpp
+   + ./netwerk/build/nsNetCID.h 
+   + ./netwerk/socket/nsSOCKSIOLayer.cpp (proxy lookup only)
+
+netwerk/base/src/nsSocketTransport2.cpp
+ + nsSocketTransport::ResolveHost() has proper remote dns checks
+   + Resolution is done by using hostname as sockaddr
+ + PROXY_RESOLVES_HOST
+
+
diff --git a/docs/audits/FF3.5_AUDIT b/docs/audits/FF3.5_AUDIT
new file mode 100644
index 0000000..35a9fbf
--- /dev/null
+++ b/docs/audits/FF3.5_AUDIT
@@ -0,0 +1,195 @@
+First pass: Quick Review of Firefox Features
+- Video Tag
+  - Docs:
+    - https://developer.mozilla.org/En/HTML/Element/Audio
+    - https://developer.mozilla.org/En/HTML/Element/Video
+    - https://developer.mozilla.org/En/HTML/Element/Source
+    - https://developer.mozilla.org/En/Manipulating_video_using_canvas
+    - https://developer.mozilla.org/En/nsIDOMHTMLMediaElement
+    - https://developer.mozilla.org/En/Media_formats_supported_by_the_audio_and_video_elements
+    - http://en.flossmanuals.net/TheoraCookbook
+  - nsIContentPolicy is checked on load
+  - Uses NSIChannels for initial load
+  - Wrapped in nsHTMLMediaElement::mDecoder
+    - is nsOggDecoder() or nsWaveDecoder()
+    - liboggplay
+  - Governed by media.* prefs
+  - Preliminary audit shows they do not use the liboggplay tcp functions
+- Geolocation
+  - Wifi:
+    - https://developer.mozilla.org/En/Monitoring_WiFi_access_points
+    - Requires security policy to allow. Then still prompted
+  - navigator.geolocation
+    - Governed by geo.enabled
+    - "2 week access token" is set
+      - geo.wifi.access_token.. Clearing is prob a good idea
+    - http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/geolocation/NetworkGeolocationProvider.js
+    - https://developer.mozilla.org/En/Using_geolocation
+- DNS prefetching after toggle
+  - prefetch pref? Always disable for now?
+    - network.dns.disablePrefetch
+    - Also disabled in netwerk/dns/src/nsDNSService2.cpp when manual proxies
+      are set..
+    - This should prevent prefetching of non-tor urls in tor mode..
+    - But the reverse is unclear.
+    - DocShell attribute!!1 YAY
+      - http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell
+      - "Takes effect for the NEXT document loaded...."
+        - Do we win this race? hrmm.. If we do, the tor->nontor direction
+          should also be safe.
+  - Content policy called?
+    - No. See content/html/content/src/nsHTMLDNSPrefetch.cpp
+- Storage
+  - https://developer.mozilla.org/en/Storage
+  - "It is available to trusted callers, meaning extensions and Firefox
+    components only."
+- New content policy
+  - Content Security Policy. Addon-only
+- "Offline resources"
+  - https://developer.mozilla.org/en/Offline_resources_in_Firefox
+  - https://developer.mozilla.org/en/nsIApplicationCache
+  - browser.cache.offline.enable toggles
+  - browser.cache.disk.enable does not apply. Seperate "device".
+  - Does our normal cache clearing mechanism apply?
+    - We call nsICacheService.evictEntries()
+    - May need: nsOfflineCacheDevice::EvictEntries(NULL)
+  - Code is smart enough to behave cleanly if we simply set
+    browser.cache.offline.enable or enable private browsing.
+- Mouse gesture and other new DOM events
+- Fonts
+  - Remote fonts obey content policy. Good.
+  - XXX: Are they cached independent of regular cache? Prob not.
+  - Hrmm can probe for installed fonts:
+    http://remysharp.com/2008/07/08/how-to-detect-if-a-font-is-installed-only-using-javascript/
+    http://www.lalit.org/lab/javascript-css-font-detect
+    http://www.ajaxupdates.com/cssjavascript-font-detector/
+    http://code.google.com/p/jquery-fontavailable/
+- Drag and drop
+  - https://developer.mozilla.org/En/DragDrop/Drag_and_Drop
+  - https://developer.mozilla.org/En/DragDrop/Drag_Operations
+  - https://developer.mozilla.org/En/DragDrop/Dragging_and_Dropping_Multiple_Items
+  - https://developer.mozilla.org/En/DragDrop/Recommended_Drag_Types
+  - https://developer.mozilla.org/En/DragDrop/DataTransfer
+  - Should be no different than normal url handling..
+- Local Storage
+  - https://developer.mozilla.org/en/DOM/Storage#localStorage
+  - Disabled by dom storage pref..
+  - Private browsing mode has its own DB
+    - Memory only?
+  - Disk Avoidance of gStorage and local storage:
+    - mSessionOnly set via nsDOMStorage::CanUseStorage()
+      - Seems to be set to true if cookies are session-only or private
+        browsing mode
+        - Our cookies are NOT session-only with dual cookie jars
+          - but this is ok if we clear the session storage..
+            - XXX: Technically clearing session storage may break
+              sites if cookies remain though
+      - nsDOMStoragePersistentDB not used if mSessionOnly
+  - Can clear with nsDOMStorage::ClearAll() or nsIDOMStorage2::clear()?
+    - These only work for a particular storage. There's both global now
+      and per-origin storage instances
+    - Each docshell has tons of storages for each origin contained in it
+    - Toggling dom.storage.enabled does not clear existing storage
+    - Oh HOT! cookie-changed to clear cookies clears all storages!
+      - happens for both ff3.0 and 3.5 in dom/src/storage/nsDOMStorage.cpp
+  - Conclusion:
+    - can safely enable dom storage
+      - May have minor buggy usability issues unless we preserve it
+        when user is preserving cookies..
+
+Second Pass: Verification of all Torbutton Assumptions
+- "Better privacy controls"
+  - Basically UI stuff for prefs we set already
+  - address bar search disable option is interesting, but not
+    torbutton's job to toggle. Users will hate us.
+- Private browsing
+  - https://developer.mozilla.org/En/Supporting_private_browsing_mode
+    - We should consider an option (off by default) to enable PBM during
+      toggle
+      - It is a good idea because it will let our users use DOM storage
+        safely and also may cause their plugins and other addons to be
+        safe
+      - Doing it always will cause the user to lose fine-grained control
+        of many settings
+        - Also we'll need to prevent them from leaving without toggling tor
+        - Stuff the emit does (grep for NS_PRIVATE_BROWSING_SWITCH_TOPIC and
+          "private-browsing")
+          - XXX:  clear mozilla.org/security/sdr;1. We should too! Wtf is it??
+            - Neg. Best to let them handle this. Users will be annoyed
+              at having to re-enter their passwords..
+          - They also clear the console service..
+          - Recommend watching private-browsing-cancel-vote and blocking if
+            we are performing a db operation
+            - Maybe we want to block transitions during our toggle for safety
+          - XXX: They also clear general.open_location.last_url
+          - XXX: mozilla.org/permissionmanager
+          - XXX: mozilla.org/content-pref/service
+          - XXX: Sets browser.zoom.siteSpecific to false
+          - Interesting.. They clear their titles.. I wonder if some
+            window managers log titles.. But that level of surveillance is
+            unbeatable..
+            - XXX: Unless there is some way for flash or script to read titles?
+          - They empty the clipboard..
+            - Can js access the clipboard?? ...
+            - Yes, but needs special pref+confirmation box
+              - http://www.dynamic-tools.net/toolbox/copyToClipboard/
+          - They clear cache..
+          - Cookies:
+            - Use in-memory table that is different than their default
+              - This could fuck up our cookie storage options
+              - We could maybe prevent them from getting this
+                event by wrapping nsCookieService::Observe(). Lullz..
+          - NavHistory:
+            - XXX: nsNavHistory::AutoCompleteFeedback() doesn't track
+              awesomebar choices for feedback.. Is this done on disk?
+            - Don't add history entries
+            - We should block this observe event too if we can..
+          - The session store stops storing tabs
+            - We could block this observe
+          - XXX: They expunge private temporary files on exit from PMB
+            - This is not done normally until browser exit or
+              "on-profile-change"
+            - emits browser:purge-domain-data.. Mostly just for session
+              editing it appears
+            - Direct component query for pbs.privateBrowsingEnabled
+              - This is where we have no ability to provide certain option
+                control
+              - browser.js seems to prevent user from allowing blocked
+                popups?
+              - Some items in some places context menu get blocked:
+                - Can't delete items from history? placesContext_deleteHost
+              - nsCookiePermission::InPrivateBrowsing() calls direct
+                - but is irellevant
+              - Form history cannot be saved while in PBM.. :(
+              - User won't be prompted for adding login passwords..
+              - Can't remember prefs on content types
+              - Many components read this value upon init:
+                - This fucks up our observer game if tor starts enabled
+                - NavHistory and cookie and dl manager
+                - We could just wrap the bool on startup and lie
+                  and emit later... :/
+                  - Or! emit an exit and an enter always at startup if tor is
+                    enabled.
+  - Read iSec report
+  - Compare to Chrome
+    - API use cases
+- SessionStore
+  - Has been reworked with observers and write methods. Should use those.
+- security.enable_ssl2 to clear session id
+  - Still cleared
+- browser.sessionstore.max_tabs_undo
+  - Yep.
+- SafeBrowsing Update Key removed on cookie clear still?
+  - Yep.
+- Livemark updates have kill events now
+- Test if nsICertStore is still buggy...
+
+Third Pass: Exploit Auditing
+- Remote fonts
+- SVG with HTML
+- Javascript threads+locking
+- Ogg theora and vorbis codecs
+- SQLite
+
+
+- https://developer.mozilla.org/en/Firefox_3_for_developers
diff --git a/docs/audits/FF4_AUDIT b/docs/audits/FF4_AUDIT
new file mode 100644
index 0000000..7830eb3
--- /dev/null
+++ b/docs/audits/FF4_AUDIT
@@ -0,0 +1,50 @@
+- Review of https://developer.mozilla.org/en/Firefox_4_for_developers
+  - Potential proxy issues
+    - DocShell and plugins inside createHTMLDocument?
+      - https://developer.mozilla.org/en/DOM/DOMImplementation.createHTMLDocument
+    - WebSockets?
+    - Media attributes?
+      - "buffered"
+      - "preload"
+      - new codecs?
+    - What the hell is a blob url?
+      - https://developer.mozilla.org/en/DOM/window.createBlobURL
+      - https://developer.mozilla.org/en/DOM/window.revokeBlobURL
+      - Seems only relevent to FS injection..
+    - WebThreads are OK:
+      - https://developer.mozilla.org/En/Using_web_workers
+      - Network activity blocked by content policy
+  - Fingerprinting issues:
+    - New screen attributes
+      - https://developer.mozilla.org/en/DOM/window.mozInnerScreenX, Y
+    - High Res Animation Timers:
+      - https://developer.mozilla.org/en/DOM/window.mozAnimationStartTime
+      - https://developer.mozilla.org/en/DOM/Animations_using_MozBeforePaint
+        - 50-60hz max.. Can we leverage this?
+    - timeStamps on keystroke events
+      - https://developer.mozilla.org/en/DOM/event.timeStamp
+    - Bounding rectangles -> window sizes?
+      - Maybe not display sizes, but seems possible to fingerprint rendered
+        content size.. ugh.
+        - https://developer.mozilla.org/en/DOM/element.getBoundingClientRect
+        - https://developer.mozilla.org/en/dom:range
+    - CSS resize, media queries, etc..
+    - WebGL may also expose screen properties and video card properties:
+      - https://developer.mozilla.org/en/WebGL
+      - https://www.khronos.org/registry/webgl/specs/1.0/#5.2
+      - https://www.khronos.org/registry/webgl/specs/1.0/#5.11
+    - SVG needs auditing. It may also expose absolute coords, but appears OK
+      - https://developer.mozilla.org/en/SVG/SVG_animation_with_SMIL
+    - Mouse events reveal desktop coordinates
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=503943
+      - https://developer.mozilla.org/en/DOM/Event/UIEvent/MouseEvent
+      - Actual screen dimensions not exposed
+  - Identifier Storage
+    - Content Secuity Properties may need clearing:
+      - https://developer.mozilla.org/en/Security/CSP
+    - STS cache needs clearing
+    - New window.history functions may allow state smuggling
+      - https://developer.mozilla.org/en/DOM/Manipulating_the_browser_history
+
+- New Javascript hooking options may help improve Date() hooks:
+  - https://developer.mozilla.org/en/JavaScript/New_in_JavaScript/1.8.5



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits