Changes between Initial Version and Version 1 of SecurityIssuesinWebKit2016

Oct 27, 2016 2:37:55 PM (7 years ago)
Jon Davis



  • SecurityIssuesinWebKit2016

    v1 v1  
     1= Security Issues in WebKit =
     3//Brent Fulgham, Apple//
     5Bugs come in a variety of forms
     6- Bugs that allow arbitrary code execution
     7- exposing private customer data
     8- spoof content to fool the user
     10Security bugs come with deadlines
     11- usually 90 days from notification
     13Security bugs are closely watched
     14- Big industry, and reporters want to get their credit
     15- reputations are made and broken on the catalogue of CVE numbers they have
     16- More scrutiny than other bugs
     18Fixing security bugs may hurt your friends
     19- checking in a fix or shipping may 0-day other ports
     21Our Problem
     22- We’re an open source project
     23- how do we fix without advertising the problem to attackers?
     25Our Guidelines
     26- Put the bug in the Security component
     27        - Only visible to the originator, Security team, people CC’d on the bug
     28        - Opened up to everyone one year after WebKit ships the fix
     30Security Component Problems
     31- Check-ins attached to “Invisible” security bugs are a red flag
     32- EWS and commit-queue do not run on Security bugs :-(
     34Choose Wording Carefully
     35- arbitrary code execution, buffer overflow, buffer overrun, buffer underrun, CVE, dangling, pointer, double free, fuzzer, fuzzing, fuzz test, invalid, cast, malicious, memory corruption, security bug, security flaw, use after free, UXSS, vulnerability, spoofing, ZDI
     36- Don’t use these words
     37- Ultimately how do we shorten the time from the security bug knowledge to a fix running on user’s devices?
     39Test Case Hygene
     40- Avoid using “exploit-y” test cases
     41- often the underlying cause of a security bug can be tested with a benign layout test
     43Communication is Key
     44- Anyone shipping WebKit should be represented in the WebKit Security Team
     45- Several flavors: one is to be a vendor contact that can get notified
     46- Ideally WebKit ports should coordinate releases
     47        - If Apple ships an OS update, GTK or Sony could ship updates as well