Review debug actors in FirefoxOS

RESOLVED WONTFIX

Status

mozilla.org
Security Assurance
RESOLVED WONTFIX
4 years ago
2 years ago

People

(Reporter: pauljt, Assigned: pauljt)

Tracking

Details

(Whiteboard: u= c= p=5 s=ready)

(Assignee)

Description

4 years ago
When remote debugging is enabled, adb and the remote debugging service are available. ADB runs will a lower privileged user on production devices, but it does allow the user to use 'adb forward' to connect to the remote debugger. To limit the risk, FxOS uses only limited debug actors on gonk, to minimise the attack surface. 

AFAIK, this means:
- no web console
- no debugger
- provides an interface to install apps

The point of this review is to establish, document and review exactly which debug actors are available on b2g, and exactly what functionality is exposed.

The key threat here is a user who has left adb enabled or left their device unlocked. EG if its possible to access the disk using remote debugger, could possibly steal stored network credentials.

Useful links to get started:
bug 828863
bug 799151
http://mxr.mozilla.org/mozilla-b2g18/source/b2g/chrome/content/shell.js#951
http://mxr.mozilla.org/mozilla-b2g18/source/toolkit/devtools/debugger/server/dbg-server.js#186
http://mxr.mozilla.org/mozilla-b2g18/source/b2g/chrome/content/dbg-webapps-actors.js#119
The profiler actor is also enabled and provides main process-only profiling AFAIK.

This review is only concerned with the current state of affairs that will presumably ship with FxOS 1.0.1 and 1.1, right? The forthcoming support for content process debugging (bug 797627) that will allow us to fully enable remote debugging in production devices is out of scope I presume?
(Assignee)

Comment 2

4 years ago
Yes, I was mainly concerned with 1.0.1 and 1.1 but I wasn't aware of 797627. The context of this review was trying to understand the threat profile remote debugging presents (and will present in the future). With 797627 is it expected that you will be able to connect to any content process (and therefore access any sensitive data that app might have stored)?  Not saying it should or shouldn't have this access, really I just want to get a complete an accurate understanding.
The plan as I remember it (I can't find the bug right now) was that after bug 797627 debugging will only target content processes on production devices, and every process on desktop builds. This way we would get both flexibility for Gaia developers and risk mitigation for webapp developers and everyday users.
(Assignee)

Updated

4 years ago
Blocks: 754730
(Assignee)

Updated

4 years ago
Whiteboard: u= c= p=5 s=ready
(Assignee)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.