No content

Text Minion: Blaze your own security scan Yeuk Hon Wong Security Assurance team, Summer Intern '13 

Follow along ... https://github.com/yeukhon/talks/pdf/intern2013.pdf https://speakerdeck.com/yeukhon/intern2013 

Scopes • Minion • IonMonkey fuzzing with UBSan • Security Review • QA 

Live QA? • #websectools or #security on irc.mozilla.org • Send to yeukhon on IRC • I'll address questions at the end 

In a typical security review... • Reviewers determine threat analysis after learning about the system specification, user stories and data flow. • Reviewers run scans and do manual code review • Reviewers signs and publishes security review report (mitigations, and vulnerabilities) 

Problems • Security review relies on the availability of time and collaboration from both the reviewers and developers. • Security scans are usually done by security reviewers. • Security reviews are not agile enough! Y U NO CHECK XSS BEFORE YOU git push upstream? 

Solutions? We need a developer-first solution. Your security reviewers are go-to person for advice and for formal security review, not for your daily build . 

Be hold > o < credit: @nurikidy 

Minion? Create a platform where developers can kick off a scan. URL, a mouse click, and wait for report. 

Minion? View scan report online and offline. Give me the URL. IRC or emails are fine. No need for formal Viydo conference. 

Minion? Duck-typing tools. “if it quacks like a tool, it's a tool.” 

Minion? 

Minion? Customize an attack plan that works for your use case. Write a configuration file with different parameters for one or multiple scan tools. 

Minion? 

Minion? Keep a history of scans. Imagine doing git blame scan1 scan2 on issueX? Or even correlate with other projects? \o/ 

Minion? Keep a history of scans. Imagine doing git blame scan1 scan2 on issueX? Or even correlate with other projects? \o/ 

Minion? Open source. Do whatever you want responsibly. 

MINION DEMO credit: @nurikidy 

Minion today 0.3 was announced on July 30th (https://blog.mozilla.org/security/2013/07/30/introducing-minion/) Slowly gaining more contributors and users Received first major pull request from contributor (https://github.com/mozilla/minion-frontend/pull/103) • Focusing on growing the community • Just completed site ownership verification this week (08/13/2013) 

Minion Roadmap • Focus on growing community • Improve plugin and reporting quality • Grow plugin ecosystem • Front-end UI changes (e.g. add a landing page) • Enabling result artifacts storage https://blog.mozilla.org/security/2013/07/30/introducing-minion/ 

Minion UI mock-up A quick shoutout to my roommate Liu Liu for making a Minion UI mock-up for me. Disclaimer: we don't have any decision on how the future UI will look like, but I want to acknowledge his contribution. 

No content

No content

Minion: building a community And we need your contributions. 

Minion: potentials (I think) • Make security reviews more agile (think of continuous integration). • Help developers (and students!) learn more about application security. • I imagine growing Minion like growing OpenStack or Docker. • Create a security tool ecosystem. • Help standardizing security alert report schema. 

Minion: resources Source code: https://github.com/mozilla/minion Mailing list: http://groups.google.com/group/mozilla-minion-dev Minion wiki: https://wiki.mozilla.org/Security/Projects/Minion We also use the #websectools channel on irc.mozilla.org 

Beyond Minion Fuzzing and security review 

Fuzzing • I was fuzzing IonMonkey using UBSan (undefined behavior sanitizer) • Found several interesting undefined behavior bugs: - runtime error: load of value 98, which is not a valid value for type 'bool' (js::DefineOwnProperty); - JS engine creates unaligned reference to JSObject (0x42) • MDN: https://developer.mozilla.org/en- US/docs/Building_SpiderMonkey_with_UBSan 

Security Review • Currently reviewing a simple community Django web app with Jacob Haven (another security assurance intern). 

One week to go … Beyond Mozilla internship 

Farewell Big thanks to my own team: Stefan Arentz Yvan Boily Simon Bennetts Mark Goodwin 

Farewell Also to our fuzzers and to our OpSec * Jesse Ruderman * Gary Kwong * Joe Stevenson * Julien Vehent * Guillaume Destuynder * Nicolas Pierron (JS team) And to the rest of the Security Assurance team! 

I am everywhere • IRC: yeukhon • twitter: @jwxie • github / bitbucket: yeukhon • email: [email protected] 

Additional credits • Thanks to @nurikidy for the awesome Mozilla Minion logo. • Thanks to all of you. 

QA