Friday, December 15, 2006

Mozilla Virtual Patching

I've always wondered if you could create a useful "virtual" patch extension for Firefox. What I mean by this is real patches, or security updates are not released until their fully tested to not break core features or external plugins, and some security improvements involve creating new GUI's, and modifying default preferences, and the coders what to solve it "correctly" the first time at the root of the problem and not just band-aid the fix and have to solve it over and over again. But what about the time it takes to get a real "fix" and do it correctly? Between the time the problem is discovered and fixed it can take a few weeks for critical security bug and literally years to make some security enhancing fixes. What if I'm willing to live with a band-aid or imperfect GUI's between those times, in the name of security? What if a corporation is willing to live with these band-aid as well?

Design ideas
1. Simple extension where a user can optionally enable/disable security related prefs on a per site or global basis (like noscript but more granular and moving beyond javascript and plugins.). I believe Mozilla does have the ability to disable particular javascript commands on a per site basis, there is just not a GUI For it.
2. If possible I would not want to change the original code at all, just override functions externally (can I do this through an overlay? Like a wrapper class in a java filter, wrapping a function, changing its behavior as needed but not having to modify the original code) and allowing the altered functionality to be disabled or enabled per site. If the new/altered functionality breaks something you care about turn it off for that site.
3. If possible, do all of this using only cross platform languages, javascript, XUL, etc so someone doesn't have to continually recompile the solution for multiple platforms.

Update 1/1/2007:

I'm now wondering if this should be more of an library and API rather than a product. Then each patch will be javascript & xul files which call the api.

1. Use Cases (Some based on http://www.squarefree.com/2006/12/14/sgwant/ and http://www.squarefree.com/securitytips/users.html)
  • HttpOnly
  • Gmail contacts vulnerability
http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/
  • block known bad sites by default as black list or white list
2. Functionality required from API
  • warn or Blacklist/whitelist specific domains
  • warn or Blacklist/whitelist Block specific pages
  • warn or Blacklist/whitelist specific URL Parameters
  • warn or Blacklist/whitelist specific POST Parameters
  • Encrypt specific param values or cookie values so they become useless to scripts, but get decrypted before being sent back to the server
  • Scan params for cross site scripting type code, (javascript, SQL, etc)
  • limit get/posts and specific params to particular URL's by referrer
  • Clipboard monitoring???
Existing functionality to study

httpOnly-extension
noscript-extension
adblock-extension

Configurable Security Policies
http://www.mozilla.org/projects/security/components/ConfigPolicy.html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)