Subscribe: Indistinguishable from Jesse
http://www.squarefree.com/feed/atom/
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
apps  assertion  assertions  bug  bugs  code  dom  find  firefox  fuzzers  fuzzing  make  people  security  testcases  transit 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Indistinguishable from Jesse

Indistinguishable from Jesse



Jesse Ruderman on Firefox, security, and more



Updated: 2015-08-26T06:52:29Z

 



Releasing jsfunfuzz and DOMFuzz

2015-08-26T06:52:29Z

Today I'm releasing two fuzzers: jsfunfuzz, which tests JavaScript engines, and DOMFuzz, which tests layout and DOM APIs. Over the last 11 years, these fuzzers have found 6450 Firefox bugs, including 790 bugs that were rated as security-critical. I had to keep these fuzzers private for a long time because of the frequency with which […]Today I'm releasing two fuzzers: jsfunfuzz, which tests JavaScript engines, and DOMFuzz, which tests layout and DOM APIs. border=0 frameborder=0 height=190 width=550 src="https://twitframe.com/show?url=https://twitter.com/reimersjan/status/439538458538041344"> Over the last 11 years, these fuzzers have found 6450 Firefox bugs, including 790 bugs that were rated as security-critical. I had to keep these fuzzers private for a long time because of the frequency with which they found security holes in Firefox. But three things have changed that have tipped the balance toward openness. First, each area of Firefox has been through many fuzz-fix cycles. So now I'm mostly finding regressions in the Nightly channel, and the severe ones are fixed well before they reach most Firefox users. Second, modern Firefox is much less fragile, thanks to architectural changes to areas that once oozed with fuzz bugs. Third, other security researchers have noticed my success and demonstrated that they can write similarly powerful fuzzers. My fuzzers are no longer unique in their ability to find security bugs, but they are unusual in their ability to churn out reliable, reduced testcases. Each fuzzer alternates between randomly building a JS string and then evaling it. This construction makes it possible to make a reproduction file from the same generated strings. Furthermore, most DOMFuzz modules are designed so their functions will have the same effect even if other parts of the testcase are removed. As a result, a simple testcase reduction tool can reduce most testcases from 3000 lines to 3-10 lines, and I can usually finish reducing testcases in less than 15 minutes. The ease of getting reduced testcases lets me afford to report less severe bugs. Occasionally, one of these turns out to be a security bug in disguise. But most importantly, these bug reports help me establish positive relationships with Firefox developers, by frequently saving them time. border=0 frameborder=0 height=250 width=550 src="https://twitframe.com/show?url=https://twitter.com/preinheimer/status/621730343314329600"> A JavaScript engine developer can easily spend a day trying to figure out why a web site doesn't work in Firefox. If instead I can give them a simple testcase that shows an incorrect result with a new JS optimization enabled, they can quickly find the source of the bug and fix it. Similarly, they much prefer reliable assertion testcases over bug reports saying "sometimes, Google Maps crashes after a while". As a result, instead of being hostile to fuzzing, Firefox developers actively help me fuzz their code. They've added numerous assertions to their code, allowing fuzzers to notice as soon as the smallest thing goes wrong. They've fixed most of the bugs that impede fuzzing progress. And several have suggested new ways to test their code, even (especially) ways that scare them. Developers working on the JavaScript engine have been especially helpful. First, they ensured I could test their code directly, apart from the rest of the browser. They already had a JavaScript shell for running regression tests, and they added a --fuzzing-safe option to disable the more dangerous testing functions. The JS team also created a large set of testing functions to let me control things that would normally be based on heuristics. Fuzzers can now choose when garbage collection happens and even how much. They can make expensive JITs kick in after 2 loop iterations rather than 100. Fuzzers can even simulate out-of-memory conditions. All of these things make it possible to create small, reliable testcases for nasty classes of bugs. Finally, the JS team has supported differential testing, a form of fu[...]



Fuzzers love assertions

2014-07-14T21:57:08Z

Fuzzers make things go wrong.Assertions make sure we find out. Assertions can improve code quality in many ways, but they truly shine when combined with fuzzing. Fuzzing is normally limited to finding obvious symptoms like crashes, because it's rare to be able to tell correct behavior from incorrect behavior when the input is generated randomly. […]Fuzzers make things go wrong.Assertions make sure we find out. Assertions can improve code quality in many ways, but they truly shine when combined with fuzzing. Fuzzing is normally limited to finding obvious symptoms like crashes, because it's rare to be able to tell correct behavior from incorrect behavior when the input is generated randomly. Assertions expand the scope of fuzzing to include everything they check. Assertions can even help find crash bugs: some bugs are relatively easy for fuzzers to trigger, but only lead to crashes when additional conditions are met. A well-placed assertion can let us know every time we trigger the bug. Fuzzing JS and DOM has found about 4000 assertion bugs, including about 300 security bugs. Asserting safe use of generic data structures Assertions in widely-used data structures can find bugs in many callers. Array indices must be within bounds. This simple precondition assert in nsTArray has caught about 90 bugs. Hash tables must not be modified during enumeration. If the modification happened to resize the hash table, it would leave stack pointers dangling. This PLDHashTable assertion has caught over 50 bugs. Cached values should not be out of date. When a cache's get method takes a key and a closure for computing values in the case of a cache miss, debug builds can check whether the cached values are still correct. This is effectively a form of differential testing that notices bugs in cache-invalidation logic. Asserting module invariants When an entire module must maintain an invariant, a single assertion can catch dozens of bugs. Compartment mismatches. When a JS object in one page's compartment references an object in another, it must do so through a wrappers that enforces security policies. Without these assertions, we would have missed over 25 violations of Firefox's script security model. Phases of layout. These assertions have strings like "Should be in an update while creating frames" and "reflowing in the middle of frame construction". More phase and nesting assertions are wanted, but sometimes special cases like plugins get in the way. Making the frame arena safer Gecko's CSS box objects, called "frames", are created and destroyed manually. They are allocated within an arena to reduce malloc overhead and fragmentation. The arena also made it possible to reduce the risk associated with manual memory management. A combination of assertions (in debug builds) and runtime mitigations (in all builds) mitigates dangling pointer bugs that involve frames. When the arena is destroyed, debug builds assert that all objects in the arena were also destroyed. Over 60 bugs have been caught by the assertion. About half of the bugs that trigger the assertion can lead to exploitable crashes, but without a specially crafted testcase, they will not crash at all. While the arena is still alive, deleted frames are overwritten with a special poison pattern. If any code uses a pointer from a deleted frame, the browser will segfault safely. This mitigation, called frame poisoning, has prevented dozens of bugs from being exploitable. Writing over the poison trips another assertion. This assertion is actually more prone to catch hardware errors than software bugs, so it has been modified to help distinguish between the two. Requests for Gecko developers Please add assertions, especially when: A bug would be a security hole Crashing is not guaranteed Many callers must fulfill a precondition Complex, extensive code must maintain an invariant Also consider: Ensure assertions in third-party libraries are enabled in debug builds of[...]



Customizing the Mozilla Manifesto

2014-07-14T21:57:15Z

I have mixed feelings about requiring Mozillians to “agree” to the Mozilla Manifesto. I get the impression that many volunteers aren’t fond of “commercial involvement” (9). Firefox development often does not live up to the ideals of absolute security (4) or transparency (8), so we’d be asking new contributors to commit to behavior for which […]

I have mixed feelings about requiring Mozillians to “agree” to the Mozilla Manifesto. I get the impression that many volunteers aren’t fond of “commercial involvement” (9). Firefox development often does not live up to the ideals of absolute security (4) or transparency (8), so we’d be asking new contributors to commit to behavior for which they may have little support.

Meanwhile, the manifesto is oddly silent on two issues that many Mozillians care about deeply. First, it says little about privacy. “Shaping your own experience on the Internet” (5) suggests control over customized ads, but not control over tracking by advertisers or governments.

Second, the manifesto does not adequately address removing barriers to contribution or promoting inclusiveness in community processes. The relevant principles (6, 8) are worded as vague beliefs rather than strong values. Compare with my favorite part of the Ada Initiative FAQ:

“Open technology and culture are shaping the future of global society. If we want that society to be socially just and to serve the interests of all people, [all kinds of people] must be involved in its creation and organization.”

Rather than asking each Mozillian to agree to the entire manifesto, let’s instead encourage everyone to Likert the 10 existing principles and add a few of their own.

Indicating how you feel about each principle is more memorable than clicking “Agree” once. Each Mozillian would have a personal version of the Manifesto to remind them what drives them to contribute. Such a survey could also lead to better understanding of the community and suggest improvements to the Manifesto.




Mobile apps for car-free living

2012-06-05T15:53:38Z

Swings on BART (photo by Audrey Penven) Each of these apps makes transit more efficient or convenient. Together, they can do something almost magical: make transit attractive to urbanites who previously saw owning a car as a necessity. Planning your trips These apps try to find the best way to reach your destination by combining […] Swings on BART (photo by Audrey Penven) Each of these apps makes transit more efficient or convenient. Together, they can do something almost magical: make transit attractive to urbanites who previously saw owning a car as a necessity. Planning your trips These apps try to find the best way to reach your destination by combining timetables from multiple transit agencies: Google Maps[Learn more] shows your current location along with walking, transit, or driving directions. In the iPhone app, you can double-tap the locator button to align the map with the iPhone's compass. HopStop[iOS | Android] lets you specify whether you prefer trains or buses, and whether you prefer walking or waiting for a transfer. It shows a zoomed-in map for each transfer. Reroute.it lets you quickly compare modes of transportation before getting directions. Catching your ride Routesy, Nextime, and Nextbus use real-time transit data to help you make quick decisions on familiar routes. For example, you'll know when to walk to your stop, when to run, and when to wait inside. Not missing your stop A location-based alarm, such as Get Off Now or GPSAlarms, can allow you to nap, read, or work without worrying about missing your stop. These apps can run in the background and have surprisingly little effect on battery life. They use power-hungry GPS only when cell/wifi location data indicates that you are somewhat close. Staying productive and entertained One of the biggest advantages of public transportation is being able to get things done while in transit. Some people check email, watch TV shows, or even order from Chipotle using their phones. I often use time on the train to read articles. Whenever I find myself with too many Wikipedia tabs open, I send them to my phone using the Instapaper or Spool bookmarklet. Sometimes I read books on my phone using the Amazon Kindle app. Getting a car when you need one The Zipcar app lets you borrow cars from Zipcar locations, while Getaround lets you borrow cars from awesome neighbors. Or you can pay for a ride using Taxi Magic or Uber. More reading Some transit authorities recommend apps for their cities: San Francisco, New York, Chicago, Seattle, and Portland, Oregon. In my next posts, I'll list my ideas for new transit apps and explain how platforms could better support location-aware apps. [...]



Fuzzing for consistent rendering

2014-02-03T03:52:31Z

My DOM fuzzer can now find bugs where the layout of a DOM tree depends on its history. In this example, forcing a re-layout swapped a “1” and “3” on the screen. My fuzzer didn’t know which rendering was correct, but it could tell that Firefox was being inconsistent. Initial DOM tree DIV ت SPAN […]My DOM fuzzer can now find bugs where the layout of a DOM tree depends on its history. In this example, forcing a re-layout swapped a “1” and “3” on the screen. My fuzzer didn’t know which rendering was correct, but it could tell that Firefox was being inconsistent. .domtree { font-family: monospace; font-size: 130%; margin-top: 0; margin-bottom: 0; } .domtree code { color: purple; font-weight: bold; } Initial DOM tree DIV ت SPAN 1 SPAN 3 31ت Random change: remove the inner span DIV ت SPAN 1 3 31ت Force re-layout DIV ت SPAN 1 3 13ت Gecko developer Simon Montagu quickly determined that 13ت is the correct rendering and attached a patch. Later, when a user reported that the bug affected Persian comments on Facebook, we were able to backport Simon’s fix to Firefox 11. How it works The fuzzer starts by making random dynamic changes to a page. Then it compares two snapshots: one taken immediately after the dynamic changes, and another taken after also forcing a relayout. To force a relayout, it removes the root from the document and then adds it back: var r = document.documentElement; document.removeChild(r); document.appendChild(r); Like reftest, it uses drawWindow() to take snapshots and compareCanvases() to compare them. In theory, I could also look for bugs where dynamic changes do not repaint enough of the window. But I've been told that testing for painting invalidation bugs is tricky, so I'll wait until most of the layout bugs are fixed. Exceptions Since the testcases are random, I have to be heavy-handed in ignoring known bugs. If I file a rendering bug where the weirdest part of the testcase is floats, I'll have the fuzzer ignore inconsistent rendering in testcases with floats until the bug is fixed. The current list of exceptions is fairly large and includes key web technologies: CSS border/padding (bug 718452) CSS position: relative/absolute (bug 728100) CSS float (bug 725928) Non-ASCII text (bug 726460) Right-to-left text (bug 730562) (bug 467723) MathML (bug 522393) SVG (bug 723376, bug 475216) Anything that causes coordinate overflow Anything that causes assertion failures (which are tracked separately) [...]



Renting movies is hard

2012-03-26T18:10:52Z

None of the major video rental systems appeal to me: Redbox is for people who visit the grocery store two days in a row. (Why don't they put kiosks at train stations?) Netflix DVD-by-mail is for people who watch lots of movies and check snail mail daily. Amazon Instant Video is for people who live […]

None of the major video rental systems appeal to me:

The iTunes Store mostly works for my current set of devices, but all the movies I want to watch are either too new or too obscure for them to have rentals available.

Maybe I should sign up for Netflix but use other means to actually watch movies. At least then Hollywood will have enough money to make good films buy politicians, print and distribute billions of optical discs, prevent paying customers from exercising their fair use rights, and sue my neighbors.