On 2015-11-27 8:41 AM, Frederik Braun wrote:
On 27.11.2015 13:16, Gervase Markham wrote:
On 26/11/15 17:13, Mike Hoye wrote:
Stillman wrote some new code and put it through a process meant to catch
problems in old code, and it passed. That's unfortunate, but does it
really surprise anyone that security is an evolving process? That it
might be be full of hard tradeoffs? There is a _huge_gap_ between "new
code can defeat old security measures" and "therefore all the old
security measures are useless".
But the thing is, members of our security group are now piling into the
bug pointing out that trying to find malicious JS code by static code
review is literally _impossible_ (and perhaps hinting that they'd have
said so much earlier if someone had asked them).
You can evolve your process all you like, but if something is
impossible, it's impossible. And not only that, but attempting it seems
to be causing significant collateral damage.
We can detect obfuscation and disallow it, though.
No, we unfortunately cannot do that. That is really the same problem as
detecting malicious add-ons by looking at the code which is impossible
because of the previously mentioned reasons.
(Note that you may be thinking about obfuscations done by tools such as
minifiers, but the interesting obfuscation here is deliberate ones done
by an attacker trying to mislead a human or machine reviewing their code
for maliciousness.)
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
