Orangfuzz – an experimental user interaction fuzzer for Firefox OS

Gary

One of the goals of the fuzzing team is to identify security vulnerabilities within our products using various techniques. As we continue working with Firefox OS, we need to build and adapt the proper tools to enable fuzz testing on the mobile device.

Orangfuzz is an experimental user interaction fuzzer. It builds on generate-orangutan-script.py and uses the Orangutan framework. Orangutan injects events directly into the low-level kernel device file that represents an Android device’s touch screen. It supports actions such as “tapping” and “dragging”, simulated from a user’s perspective. The fuzzer generates an Orangutan script containing random sets of these actions.

This concept was inspired by bug 838215, which was a crash involving the handling of touch events.

Orangfuzz currently only supports the B2G Test Driver device, but adding additional support for other devices, if Orangutan supports them, is straightforward. We define the device through its specifications (e.g. home key location, screen resolution). Adding support for additional devices is as simple as adding new subclasses which provide the appropriate resolution and screensizes. It may be possible to run this against the B2G emulators but this has not been tested.

Warning: It is entirely possible to generate a script that contains a set of actions that dial emergency numbers such as “911″, “112″ or “999″, so it is recommended to run the script against a special build of Gaia (not yet well-tested) with dialing and messaging capabilities disabled if one wants to run orangfuzz continuously without supervision.

How can you help?

At this point we are still experimenting with the most effective strategy for identifying and triaging crashes, but please feel free to file bugs or ideas moving forward either on GitHub or in Bugzilla. Do subscribe to the mozilla.dev.b2g newsgroup if one is interested.

Bug 858174 tracks moving orangfuzz to production.

A demonstration video on YouTube with annotations is available, or you can get the .webm version (no audio).

-Gary Kwong

* Credits go out to Gregor Wagner, who wrote generate-orangutan-script.py, and William Lachance, author of the Orangutan framework.

We’re doing a Reddit AMA!

Curtisk

Members of the Mozilla Security community will be participating in an “Ask Me Anything (AMA)” even on Reddit tomorrow, 27-March-2013. We anticipate to run this for 24 hours from March 27th at 6:00 am PDT through March 28th at 6:00 am PDT.

Within Mozilla our teams depend heavily on our community handle everything involved in Information Security research &  development; if you would like to learn more please come out and ask us the questions you want to know the answer to!

You an also follow us on twitter at https://twitter.com/mozsec

This post will be updated with the appropriate links tomorrow morning.

Update:

Link to AMA: http://www.reddit.com/r/netsec/comments/1b3vcx/we_are_the_mozilla_security_community_ask_us/

Mozilla and Pwn2Own Event

mcoates

1

This week the Pwn2Own competition took place as part of the CanSecWest security conference. The Pwn2Own competition provides cash rewards for individuals that are able to demonstrate a security vulnerability in browsers or the browser plugins Flash and Java.

Researchers successfully demonstrated new security vulnerabilities in all three browsers tested -  Firefox, Chrome and IE. At the conclusion of the event we received technical details about the exploit so we could issue a fix.

We received the technical details on Wednesday evening and within less than 24 hours  diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users. Our fast turn around time on this security issue is a reflection of the priority and focus we place on security. Security is more than a side item for us, it’s part of our core principles.

We encourage community research within security and started the first major bug bounty program in 2004 for Firefox.  Since then we’ve worked closely with experts around the world to help grow and mature security research. All security research and corresponding discoveries are used to proactively protect Firefox users as part of our larger security assurance program.

Find out more about how to get involved in Mozilla’s bug bounty program – http://www.mozilla.org/security/bug-bounty.html

Michael Coates
Director of Security Assurance