Mozilla Puts The Fun in Fuzz


LAS VEGAS — Mozilla doesn’t want to just make a better
browser; it wants to make the Web a safer place for
everyone.


That’s the message that Mozilla Chief Security Officer
Window Snyder and Mozilla project co-founder Mike Shaver
delivered here today to a Black Hat crowd.


The Mozilla staffers provided an overview of how the open
source group secures its code and how it intends to secure it
in the future.


“Because everything is out in the open, it’s easier for
people to participate than they could with a traditional
vendor,” Snyder told the audience. “With traditional
vendors you can only participate once the product ships.
With Mozilla you can participate all along the process.”


Mozilla uses a variety of security
approaches to secure the browser, Snyder explained. Among them is threat
modeling, which is a methodology for analyzing software for
weaknesses and allows you to identify areas of risk.


Then there is the component security review, which is an
approach that considers that every feature has a security
impact on overall product. Mozilla also does code review
looking for things like input validation mechanisms,
improper sting handling and memory allocation errors.


“Mozilla’s code review system is something we’ve had in
since the project started nearly 10 years ago,” Shaver
said. “It catches errors and it also increases the number
of people that are familiar with the code.”


Snyder noted that Mozilla is also engaging in automated
penetration testing, as well.


“We find fuzzing to be a very practical approach for
finding vulnerabilities,” Snyder said. “Targets include FTP,
HTTP server responses, JavaScript and others.”


For a browser vendor the Web can be a dangerous place.
Shaver said that the whole of the Web for Mozilla is code
and content you can’t trust.


Mozilla’s staffers also took aim at how to
validate how secure or insecure a particular browser may
be. In particular Snyder said that simply counting
bugs is not a good measure.


“It doesn’t tell you about the quality of the bug, how
fast you’re finding them or how bug-dense a particular
piece of code is,” Snyder said. “The real story shouldn’t
be that a vendor has x number of vulnerabilities; it should
be that x number of vulnerabilities have been fixed.


Mozilla uses a number of metrics for bugs that are
important: bug severity, find/fix rate; time to fix; and
time to deploy. On the time-to-deploy metric, Snyder shared some
statistics for the Firefox 2.0.0.4 release, which showed
that 90 percent of users updated their browsers within six
days.


It is with tools that Shaver and Snyder expect to further
improve the security of Firefox.


“Tools let people that aren’t experts to help out,” Shaver
said. “Tools capture expertise so that non experts can
behave like experts.”


Three tools that Mozilla has been working on will
eventually be made public to help those outside Mozilla.
Snyder explained that Mozilla is working on an HTTP fuzzer
and an FTP fuzzer in collaboration with vendors
Leviathan and Matasano, though neither tool will be made
publicly available for a few months.

A third tool, for
JavaScript fuzzing, called “jsfunfuzz” (JavaScript Fun Fuzz), which was developed by
Mozilla, was released today.


Snyder claimed that Mozilla engaged with all vendors,
including Microsoft, Opera and Apple. The general idea is
that Mozilla didn’t want to break the Web.


“We wanted to make sure we weren’t releasing a tool
without notifying other vendors,” Snyder claimed.


Mozilla developer Jesse Ruderman who wrote the jsfunfuzz
fuzzer explained that the tool creates JavaScript
function bodies using a bunch of mutually recursive functions and runs them.
.


Ruderman claimed that in its brief existence jsfunfuzz has
already found 280 bugs in Firefox, 27 of which were
exploitable.


With jsfunfuzz, as with Mozilla’s participation at Black
Hat, Snyder noted that it’s all about getting more
participation.


“The work that you do helps make Mozilla secure.”

News Around the Web