[tor-commits] [tor-browser-spec/master] Add new and old Firefox code audit notes.
mikeperry at torproject.org
mikeperry at torproject.org
Mon Apr 28 15:18:48 UTC 2014
commit e4601b80e9215bbc2e7d449e4d5e7890f6b7246a
Author: Mike Perry <mikeperry-git at fscked.org>
Date: Thu Feb 7 14:55:18 2013 -0800
Add new and old Firefox code audit notes.
---
docs/audits/FF17_FEATURE_AUDIT | 19 ++++
docs/audits/FF17_NETWORK_AUDIT | 84 +++++++++++++++++
docs/audits/FF3.5_AUDIT | 195 ++++++++++++++++++++++++++++++++++++++++
docs/audits/FF4_AUDIT | 50 +++++++++++
4 files changed, 348 insertions(+)
diff --git a/docs/audits/FF17_FEATURE_AUDIT b/docs/audits/FF17_FEATURE_AUDIT
new file mode 100644
index 0000000..b135c0a
--- /dev/null
+++ b/docs/audits/FF17_FEATURE_AUDIT
@@ -0,0 +1,19 @@
+- Can calc() accept device-width/height?
+ - No. Numbers only.
+ - Can viewport/meta viewport accept them?
+ - nsContentUtils::GetViewportInfo() might be the only place..
+ - nsContentUtils::ProcessViewportInfo()
+ - Viewport seems unused on all but mobile
+ - Maybe worth testing..
+
+- currentColor: OK
+- scrollMax: OK
+- IdleAPI: FirefoxOS only, but still present w/ pref??
+ - Throws "The operation is insecure" exception
+ - Disabled for content. WebApp only.
+
+- Web Activities
+ - Seems unfinished and unexported to content
+
+- RegisterContent/ProtocolHandler -> Third party supercookie??
+ - asks for confirmation
diff --git a/docs/audits/FF17_NETWORK_AUDIT b/docs/audits/FF17_NETWORK_AUDIT
new file mode 100644
index 0000000..8ec25ba
--- /dev/null
+++ b/docs/audits/FF17_NETWORK_AUDIT
@@ -0,0 +1,84 @@
+
+Lowest level resolver calls:
+ - PR_GetHostByName
+ + ./profile/dirserviceprovider/src/nsProfileLock.cpp
+ + nsProfileLock::LockWithSymlink
+ + ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+ - pkix_pl_Socket_CreateByHostAndPort()
+ - pkix_pl_Socket_CreateByName()
+ - ./security/nss/lib/certhigh/ocsp.c
+ - ocsp_ConnectToHost()
+ + ./security/nss/cmd/libpkix/pkix_pl/module/test_socket.c
+ + ./security/nss/cmd/vfyserv/vfyserv.c
+ - ./media/webrtc/trunk/src/modules/udp_transport/source/udp_transport_impl.cc (!!!)
+ --disable-webrtc!!!
+ + PR_GetAddrInfoByName
+ + ./security/nss/cmd/ssltap/ssltap.c
+ + ./security/nss/cmd/tstclnt/tstclnt.c
+ + ./security/nss/cmd/strsclnt/strsclnt.c
+
+Direct paths to DNS resolution:
+ + nsDNSService::Resolve
+ + nsDNSService::AsyncResolve
+ + nsHostResolver::ResolveHost
+
+Misc UDP (SOCK_DGRAM, PR_DESC_SOCKET_UDP):
+ + ./nsprpub/pr/src/io/prsocket.c
+ + PR_NewUDPSocket
+ + PR_OpenUDPSocket
+ + PR_Socket
+ + ./nsprpub/pr/src/pthreads/ptio.c
+ + ./netwerk/socket/nsUDPSocketProvider.cpp
+
+Misc TCP (SOCK_STREAM, PR_DESC_SOCKET_TCP):
+ + ./nsprpub/pr/src/pthreads/ptio.c
+ - ./nsprpub/pr/src/io/prsocket.c
+ - PR_NewTCPSocket
+ - PR_Socket
+ - PR_OpenTCPSocket
+ + ./nsprpub/pr/src/misc/prnetdb.c
+ + TCPSocket:
+ + ./security/manager/ssl/src/nsNSSIOLayer.cpp
+ + nsSSLIOLayerNewSocket()
+ + ./security/nss/lib/certhigh/ocsp.c
+ + ocsp_SendEncodedRequest
+ + ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+ + pkix_pl_Socket_CreateClient
+ + pkix_pl_Socket_CreateServer
+
+Misc PR_Socket:
+ + ./nsprpub/pr/src/cplus/rcnetio.cpp
+ + RCNetStreamIO::RCNetStreamIO
+
+Misc XPCOM:
+ - *SocketProvider
+ + newSocket
+ + ./netwerk/base/src/nsSocketTransport2.cpp:
+ + addToSocket
+ + @mozilla.org/network/socket:
+ + createTransport()
+ + ./netwerk/protocol/http/nsHttpConnectionMgr.cpp
+ + ./netwerk/protocol/ftp/nsFtpConnectionThread.cpp:
+ + ./netwerk/protocol/ftp/nsFtpControlConnection.cpp:
+ + ./dom/network/src/TCPSocket.js
+ + open()
+
+Android may have DNS leaks..
+ - ./mobile/android/base/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java
+
+nsDNSService/nsPIDNSService/nsIDNSService
+ + calls nsHostResolver::ResolveHost
+ + used by:
+ + DNS prefetch (disabled)
+ + ./netwerk/base/src/nsIOService.cpp (offline mode only)
+ + ./netwerk/build/nsNetModule.cpp
+ + ./netwerk/protocol/websocket/WebSocketChannel.cpp
+ + ./netwerk/build/nsNetCID.h
+ + ./netwerk/socket/nsSOCKSIOLayer.cpp (proxy lookup only)
+
+netwerk/base/src/nsSocketTransport2.cpp
+ + nsSocketTransport::ResolveHost() has proper remote dns checks
+ + Resolution is done by using hostname as sockaddr
+ + PROXY_RESOLVES_HOST
+
+
diff --git a/docs/audits/FF3.5_AUDIT b/docs/audits/FF3.5_AUDIT
new file mode 100644
index 0000000..35a9fbf
--- /dev/null
+++ b/docs/audits/FF3.5_AUDIT
@@ -0,0 +1,195 @@
+First pass: Quick Review of Firefox Features
+- Video Tag
+ - Docs:
+ - https://developer.mozilla.org/En/HTML/Element/Audio
+ - https://developer.mozilla.org/En/HTML/Element/Video
+ - https://developer.mozilla.org/En/HTML/Element/Source
+ - https://developer.mozilla.org/En/Manipulating_video_using_canvas
+ - https://developer.mozilla.org/En/nsIDOMHTMLMediaElement
+ - https://developer.mozilla.org/En/Media_formats_supported_by_the_audio_and_video_elements
+ - http://en.flossmanuals.net/TheoraCookbook
+ - nsIContentPolicy is checked on load
+ - Uses NSIChannels for initial load
+ - Wrapped in nsHTMLMediaElement::mDecoder
+ - is nsOggDecoder() or nsWaveDecoder()
+ - liboggplay
+ - Governed by media.* prefs
+ - Preliminary audit shows they do not use the liboggplay tcp functions
+- Geolocation
+ - Wifi:
+ - https://developer.mozilla.org/En/Monitoring_WiFi_access_points
+ - Requires security policy to allow. Then still prompted
+ - navigator.geolocation
+ - Governed by geo.enabled
+ - "2 week access token" is set
+ - geo.wifi.access_token.. Clearing is prob a good idea
+ - http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/geolocation/NetworkGeolocationProvider.js
+ - https://developer.mozilla.org/En/Using_geolocation
+- DNS prefetching after toggle
+ - prefetch pref? Always disable for now?
+ - network.dns.disablePrefetch
+ - Also disabled in netwerk/dns/src/nsDNSService2.cpp when manual proxies
+ are set..
+ - This should prevent prefetching of non-tor urls in tor mode..
+ - But the reverse is unclear.
+ - DocShell attribute!!1 YAY
+ - http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell
+ - "Takes effect for the NEXT document loaded...."
+ - Do we win this race? hrmm.. If we do, the tor->nontor direction
+ should also be safe.
+ - Content policy called?
+ - No. See content/html/content/src/nsHTMLDNSPrefetch.cpp
+- Storage
+ - https://developer.mozilla.org/en/Storage
+ - "It is available to trusted callers, meaning extensions and Firefox
+ components only."
+- New content policy
+ - Content Security Policy. Addon-only
+- "Offline resources"
+ - https://developer.mozilla.org/en/Offline_resources_in_Firefox
+ - https://developer.mozilla.org/en/nsIApplicationCache
+ - browser.cache.offline.enable toggles
+ - browser.cache.disk.enable does not apply. Seperate "device".
+ - Does our normal cache clearing mechanism apply?
+ - We call nsICacheService.evictEntries()
+ - May need: nsOfflineCacheDevice::EvictEntries(NULL)
+ - Code is smart enough to behave cleanly if we simply set
+ browser.cache.offline.enable or enable private browsing.
+- Mouse gesture and other new DOM events
+- Fonts
+ - Remote fonts obey content policy. Good.
+ - XXX: Are they cached independent of regular cache? Prob not.
+ - Hrmm can probe for installed fonts:
+ http://remysharp.com/2008/07/08/how-to-detect-if-a-font-is-installed-only-using-javascript/
+ http://www.lalit.org/lab/javascript-css-font-detect
+ http://www.ajaxupdates.com/cssjavascript-font-detector/
+ http://code.google.com/p/jquery-fontavailable/
+- Drag and drop
+ - https://developer.mozilla.org/En/DragDrop/Drag_and_Drop
+ - https://developer.mozilla.org/En/DragDrop/Drag_Operations
+ - https://developer.mozilla.org/En/DragDrop/Dragging_and_Dropping_Multiple_Items
+ - https://developer.mozilla.org/En/DragDrop/Recommended_Drag_Types
+ - https://developer.mozilla.org/En/DragDrop/DataTransfer
+ - Should be no different than normal url handling..
+- Local Storage
+ - https://developer.mozilla.org/en/DOM/Storage#localStorage
+ - Disabled by dom storage pref..
+ - Private browsing mode has its own DB
+ - Memory only?
+ - Disk Avoidance of gStorage and local storage:
+ - mSessionOnly set via nsDOMStorage::CanUseStorage()
+ - Seems to be set to true if cookies are session-only or private
+ browsing mode
+ - Our cookies are NOT session-only with dual cookie jars
+ - but this is ok if we clear the session storage..
+ - XXX: Technically clearing session storage may break
+ sites if cookies remain though
+ - nsDOMStoragePersistentDB not used if mSessionOnly
+ - Can clear with nsDOMStorage::ClearAll() or nsIDOMStorage2::clear()?
+ - These only work for a particular storage. There's both global now
+ and per-origin storage instances
+ - Each docshell has tons of storages for each origin contained in it
+ - Toggling dom.storage.enabled does not clear existing storage
+ - Oh HOT! cookie-changed to clear cookies clears all storages!
+ - happens for both ff3.0 and 3.5 in dom/src/storage/nsDOMStorage.cpp
+ - Conclusion:
+ - can safely enable dom storage
+ - May have minor buggy usability issues unless we preserve it
+ when user is preserving cookies..
+
+Second Pass: Verification of all Torbutton Assumptions
+- "Better privacy controls"
+ - Basically UI stuff for prefs we set already
+ - address bar search disable option is interesting, but not
+ torbutton's job to toggle. Users will hate us.
+- Private browsing
+ - https://developer.mozilla.org/En/Supporting_private_browsing_mode
+ - We should consider an option (off by default) to enable PBM during
+ toggle
+ - It is a good idea because it will let our users use DOM storage
+ safely and also may cause their plugins and other addons to be
+ safe
+ - Doing it always will cause the user to lose fine-grained control
+ of many settings
+ - Also we'll need to prevent them from leaving without toggling tor
+ - Stuff the emit does (grep for NS_PRIVATE_BROWSING_SWITCH_TOPIC and
+ "private-browsing")
+ - XXX: clear mozilla.org/security/sdr;1. We should too! Wtf is it??
+ - Neg. Best to let them handle this. Users will be annoyed
+ at having to re-enter their passwords..
+ - They also clear the console service..
+ - Recommend watching private-browsing-cancel-vote and blocking if
+ we are performing a db operation
+ - Maybe we want to block transitions during our toggle for safety
+ - XXX: They also clear general.open_location.last_url
+ - XXX: mozilla.org/permissionmanager
+ - XXX: mozilla.org/content-pref/service
+ - XXX: Sets browser.zoom.siteSpecific to false
+ - Interesting.. They clear their titles.. I wonder if some
+ window managers log titles.. But that level of surveillance is
+ unbeatable..
+ - XXX: Unless there is some way for flash or script to read titles?
+ - They empty the clipboard..
+ - Can js access the clipboard?? ...
+ - Yes, but needs special pref+confirmation box
+ - http://www.dynamic-tools.net/toolbox/copyToClipboard/
+ - They clear cache..
+ - Cookies:
+ - Use in-memory table that is different than their default
+ - This could fuck up our cookie storage options
+ - We could maybe prevent them from getting this
+ event by wrapping nsCookieService::Observe(). Lullz..
+ - NavHistory:
+ - XXX: nsNavHistory::AutoCompleteFeedback() doesn't track
+ awesomebar choices for feedback.. Is this done on disk?
+ - Don't add history entries
+ - We should block this observe event too if we can..
+ - The session store stops storing tabs
+ - We could block this observe
+ - XXX: They expunge private temporary files on exit from PMB
+ - This is not done normally until browser exit or
+ "on-profile-change"
+ - emits browser:purge-domain-data.. Mostly just for session
+ editing it appears
+ - Direct component query for pbs.privateBrowsingEnabled
+ - This is where we have no ability to provide certain option
+ control
+ - browser.js seems to prevent user from allowing blocked
+ popups?
+ - Some items in some places context menu get blocked:
+ - Can't delete items from history? placesContext_deleteHost
+ - nsCookiePermission::InPrivateBrowsing() calls direct
+ - but is irellevant
+ - Form history cannot be saved while in PBM.. :(
+ - User won't be prompted for adding login passwords..
+ - Can't remember prefs on content types
+ - Many components read this value upon init:
+ - This fucks up our observer game if tor starts enabled
+ - NavHistory and cookie and dl manager
+ - We could just wrap the bool on startup and lie
+ and emit later... :/
+ - Or! emit an exit and an enter always at startup if tor is
+ enabled.
+ - Read iSec report
+ - Compare to Chrome
+ - API use cases
+- SessionStore
+ - Has been reworked with observers and write methods. Should use those.
+- security.enable_ssl2 to clear session id
+ - Still cleared
+- browser.sessionstore.max_tabs_undo
+ - Yep.
+- SafeBrowsing Update Key removed on cookie clear still?
+ - Yep.
+- Livemark updates have kill events now
+- Test if nsICertStore is still buggy...
+
+Third Pass: Exploit Auditing
+- Remote fonts
+- SVG with HTML
+- Javascript threads+locking
+- Ogg theora and vorbis codecs
+- SQLite
+
+
+- https://developer.mozilla.org/en/Firefox_3_for_developers
diff --git a/docs/audits/FF4_AUDIT b/docs/audits/FF4_AUDIT
new file mode 100644
index 0000000..7830eb3
--- /dev/null
+++ b/docs/audits/FF4_AUDIT
@@ -0,0 +1,50 @@
+- Review of https://developer.mozilla.org/en/Firefox_4_for_developers
+ - Potential proxy issues
+ - DocShell and plugins inside createHTMLDocument?
+ - https://developer.mozilla.org/en/DOM/DOMImplementation.createHTMLDocument
+ - WebSockets?
+ - Media attributes?
+ - "buffered"
+ - "preload"
+ - new codecs?
+ - What the hell is a blob url?
+ - https://developer.mozilla.org/en/DOM/window.createBlobURL
+ - https://developer.mozilla.org/en/DOM/window.revokeBlobURL
+ - Seems only relevent to FS injection..
+ - WebThreads are OK:
+ - https://developer.mozilla.org/En/Using_web_workers
+ - Network activity blocked by content policy
+ - Fingerprinting issues:
+ - New screen attributes
+ - https://developer.mozilla.org/en/DOM/window.mozInnerScreenX, Y
+ - High Res Animation Timers:
+ - https://developer.mozilla.org/en/DOM/window.mozAnimationStartTime
+ - https://developer.mozilla.org/en/DOM/Animations_using_MozBeforePaint
+ - 50-60hz max.. Can we leverage this?
+ - timeStamps on keystroke events
+ - https://developer.mozilla.org/en/DOM/event.timeStamp
+ - Bounding rectangles -> window sizes?
+ - Maybe not display sizes, but seems possible to fingerprint rendered
+ content size.. ugh.
+ - https://developer.mozilla.org/en/DOM/element.getBoundingClientRect
+ - https://developer.mozilla.org/en/dom:range
+ - CSS resize, media queries, etc..
+ - WebGL may also expose screen properties and video card properties:
+ - https://developer.mozilla.org/en/WebGL
+ - https://www.khronos.org/registry/webgl/specs/1.0/#5.2
+ - https://www.khronos.org/registry/webgl/specs/1.0/#5.11
+ - SVG needs auditing. It may also expose absolute coords, but appears OK
+ - https://developer.mozilla.org/en/SVG/SVG_animation_with_SMIL
+ - Mouse events reveal desktop coordinates
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=503943
+ - https://developer.mozilla.org/en/DOM/Event/UIEvent/MouseEvent
+ - Actual screen dimensions not exposed
+ - Identifier Storage
+ - Content Secuity Properties may need clearing:
+ - https://developer.mozilla.org/en/Security/CSP
+ - STS cache needs clearing
+ - New window.history functions may allow state smuggling
+ - https://developer.mozilla.org/en/DOM/Manipulating_the_browser_history
+
+- New Javascript hooking options may help improve Date() hooks:
+ - https://developer.mozilla.org/en/JavaScript/New_in_JavaScript/1.8.5
More information about the tor-commits
mailing list