Talking Firefox security with Mozilla's Window Snyder

During a sit-down chat at the Black Hat security conference here, Snyder announced plans to launch three new initiatives around threat modeling, training and vulnerability metrics that push the envelope around sharing and collaborating with the rest of the industry.

The most interesting of three centers around a formal threat modeling process for Firefox Next, the next major browser makeover coming from Mozilla.

Snyder has hired New York-based consultants Matasano Security to pore over the Firefox code to find potential attack vectors and other weaknesses and recommend mitigations to harden the browser from hacker attacks.  When the threat modeling work is done, Snyder will do something unprecedented -- the information (threats and mitigations) will be released to the public.

"No other vendor does that.   We'll release all the information on the threats we identified [and] what the mitigations are.   We want people in the industry to know all of the potential weaknesses we thought of and everything we did to minimize the risks.   The idea is to engage the community and get feedback.  We want to share everything we learn," Snyder said.

Only one caveat: If an identified threat vector hasn't been mitigated, that information will not be released.

"We want security researchers to get an idea of the level of threats we tolerate.  I think it's useful for the security research community to see what a complex product like Firefox looks like.

TRAINING

The second product -- training around secure coding practice -- is being done in partnership with IOActive and Snyder says all the classes and information will be released to the public.

Starting later this summer, IOActive trainers will work with Mozilla engineers on C and C++  secure programming practices.   In this round, the instructors will focus on implementation level constructs that sometimes result in vulnerabilities and, once the classes are done, everything will be made available to the public.

In Snyder's mind, the training information will be incredibly useful for an organization without the budget for a dedicated security team. All the slides from the classes will be released along with the syllabus and classroom exercises.  "We'll be delivering the training in-house to our developers, then we'll make the material available broadly," Snyder said.

A Web version of the classes will also be released.

Eventually, Snyder plans to add new classes on secure programming with JavaScript and other secure development practices that are something ignored by programmers.

SECURITY METRICS

The security metrics project, which is being done in collaboration with indie consultant Rich Mogull, is already underway and progressing very well, Snyder says.  "We're in the early phase, working on incorporating feedback from the rest of the industry.  Carnegie Mellon is working on something similar and we're talking to them, seeing what we can do together."

[ SEE: Can Mozilla’s security metrics project end the patch-counting nonsense? ]

We're trying to figure out how to do it.  Do we use data from Bugzilla?  Where will the raw data come from?  That's where we are now, trying to figure out how to incorporate the early feedback

Once that's done, we move to the implementation phase and use the data to identify useful trends," she added.

A key part of the project, Snyder stressed, is the use of the community to flesh out the project and the final plan to release everything publicly.

"We're not just developing something to measure the success of Mozilla security over time but this is something others can use on their own," she added.

Some other tidbits from our chat:

• Cross-site XMLHttpRequest will be included in Firefox 3.1, which is due in the fall.  The API, which is used by Javascript and other scripting languages to transfer data between browsers and Web servers, did not make the cut for Firefox 3.0 because of security concerns but, after some internal debate, Snyder says a decision has been made to put it into the next revision.
• Private Browsing, a feature that puts Firefox into a temporary state where no information about the user's browsing session is stored locally, will not make it into the next revision.  We could implement private browsing in some fashion right not but, to do it properly, we will need to do some complex re-architecting.  We want to make sure it's true private browsing so it's something that will take time but it's coming.
• Firefox 3.0 has incorporated several anti-exploitation mechanisms, including ASLR (Address Space Layout Randomization) and NX (No eXecute).
• Protected Mode won't be coming to Firefox anytime soon.  "It's not something we can do in a dot release but it's on the list of features that I request at every opportunity," Snyder says.   "It's coming.  It's a feature that there's a lot of buy-in for but it's not a small change.  It will show up in a future version but not in do-releases.
• There are discussions happening internally at Mozilla around adding NoScript functionality into the core browser.  "It's a conversation we're having.  I'd love to see it in there."