July 30th, 2013
Mozilla continues to build the Web as a platform for security which is a crucial part of our mission to move the Web forward as a platform for openness, innovation and opportunity for all. Today this platform for security is being advanced through Mozilla and BlackBerry collaborating on advanced automated security testing techniques known as fuzzing and Mozilla introducing Minion, an open source security testing platform intended to be used by developers and security professionals. These research efforts are some of the many ways Mozilla helps make the Web more secure and protect Firefox users.
Mozilla and BlackBerry Collaborate on Fuzzing
Mozilla and BlackBerry’s work on security research techniques are in the area of fault injection. Fault injection (also known as “fuzzing”) is a method of automated security testing that is used to identify potential security concerns that can be fixed before users are at risk. Fault injection is a testing technique where specially designed software is created to inject a variety of unexpected or malformed data into a specific application, program or area of code. The goal is to uncover areas where the software does not properly handle the malformed data. Through fault injection it is possible to identify potential security weaknesses that can be proactively addressed before there is ever a threat to users.
The specific area of joint research is Peach v2, an open source fuzzing framework and will also include joint work on other fuzzing software. Mozilla and BlackBerry are working together to advance the Peach fuzzing software for testing Web browsers. We will also collaborate on fuzzing techniques and approaches to jointly raise the security protections provided to our users.
Mozilla has successfully used Peach to perform fuzz testing against HTML5 features such as: image formats, audio/video formats, fonts, multimedia APIs like WebGL and WebAudio and most recently protocols used in WebRTC. Through our testing, we’ve proactively identified issues that can be fixed before there was any risk to our users. This testing has proved to be very effective and is helping secure Firefox and Firefox OS users.
BlackBerry has long relied on large-scale automated testing to identify security issues across its platform. The collaboration with Mozilla plugs directly into BlackBerry’s existing security processes and infrastructure. BlackBerry regularly uses third-party fuzzers, in addition to its own proprietary fuzzing tools, static analysis and vulnerability research, in order to identify and address potential security concerns across its portfolio of products and services.
Adrian Stone, Director of BlackBerry Security Response and Threat Analysis, shared that he is excited about the work Mozilla and BlackBerry researchers are conducting and the potential benefits for customers. He said, “Security is an industry-wide challenge that cannot be solved in a vacuum, and that is why BlackBerry and Mozilla security researchers are working together to develop new and innovative tools for detecting browser threats before they can affect both mobile and desktop customers. Through this collaboration, BlackBerry and Mozilla are working together towards the common goal of advancing security protections for customers as well as improving the threat landscape overall.”
Mozilla and BlackBerry have worked together on fuzzing activities in the past and both recognize the importance of continued automated security testing techniques in order to protect users on the open Web.
Mozilla Introduces Minion
Mozilla also introduced Minion, a security testing platform that is intended to be used by developers and security professionals. Minion is free, open source and available for use. Minion is under active development and many new features are in progress.
The Minion testing platform takes a different approach to automated web security testing by focusing on correct and actionable results that don’t require a security professional to validate. Many security tools generate excessive amounts of data, including incorrectly identified issues that require many hours of specialized research by a security professional. Minion favors accuracy and simplicity and is designed so every developer, regardless of security expertise, can use this platform to increase the security of their applications.
By putting usable security tools into the hands of developers Mozilla continues to push the security of the Web forward.
-Michael Coates, Director of Security Assurance