RealTime IT News

Mozilla Puts The Fun in Fuzz

LAS VEGAS -- Mozilla doesn't want to just make a better browser; it wants to make the Web a safer place for everyone.

That's the message that Mozilla Chief Security Officer Window Snyder and Mozilla project co-founder Mike Shaver delivered here today to a Black Hat crowd.

The Mozilla staffers provided an overview of how the open source group secures its code and how it intends to secure it in the future.

"Because everything is out in the open, it's easier for people to participate than they could with a traditional vendor," Snyder told the audience. "With traditional vendors you can only participate once the product ships. With Mozilla you can participate all along the process."

Mozilla uses a variety of security approaches to secure the browser, Snyder explained. Among them is threat modeling, which is a methodology for analyzing software for weaknesses and allows you to identify areas of risk.

Then there is the component security review, which is an approach that considers that every feature has a security impact on overall product. Mozilla also does code review looking for things like input validation mechanisms, improper sting handling and memory allocation errors.

"Mozilla's code review system is something we've had in since the project started nearly 10 years ago," Shaver said. "It catches errors and it also increases the number of people that are familiar with the code."

Snyder noted that Mozilla is also engaging in automated penetration testing, as well.

"We find fuzzing to be a very practical approach for finding vulnerabilities," Snyder said. "Targets include FTP, HTTP server responses, JavaScript and others."

For a browser vendor the Web can be a dangerous place. Shaver said that the whole of the Web for Mozilla is code and content you can't trust.

Mozilla's staffers also took aim at how to validate how secure or insecure a particular browser may be. In particular Snyder said that simply counting bugs is not a good measure.

"It doesn't tell you about the quality of the bug, how fast you're finding them or how bug-dense a particular piece of code is," Snyder said. "The real story shouldn't be that a vendor has x number of vulnerabilities; it should be that x number of vulnerabilities have been fixed.

Mozilla uses a number of metrics for bugs that are important: bug severity, find/fix rate; time to fix; and time to deploy. On the time-to-deploy metric, Snyder shared some statistics for the Firefox 2.0.0.4 release, which showed that 90 percent of users updated their browsers within six days.

It is with tools that Shaver and Snyder expect to further improve the security of Firefox.

"Tools let people that aren't experts to help out," Shaver said. "Tools capture expertise so that non experts can behave like experts."

Three tools that Mozilla has been working on will eventually be made public to help those outside Mozilla. Snyder explained that Mozilla is working on an HTTP fuzzer and an FTP fuzzer in collaboration with vendors Leviathan and Matasano, though neither tool will be made publicly available for a few months.

A third tool, for JavaScript fuzzing, called "jsfunfuzz" (JavaScript Fun Fuzz), which was developed by Mozilla, was released today.

Snyder claimed that Mozilla engaged with all vendors, including Microsoft, Opera and Apple. The general idea is that Mozilla didn't want to break the Web.

"We wanted to make sure we weren't releasing a tool without notifying other vendors," Snyder claimed.

Mozilla developer Jesse Ruderman who wrote the jsfunfuzz fuzzer explained that the tool creates JavaScript function bodies using a bunch of mutually recursive functions and runs them. .

Ruderman claimed that in its brief existence jsfunfuzz has already found 280 bugs in Firefox, 27 of which were exploitable.

With jsfunfuzz, as with Mozilla's participation at Black Hat, Snyder noted that it's all about getting more participation.

"The work that you do helps make Mozilla secure."