Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Nov 1999 19:13:40 -0500 (EST)
From:      Kelly Yancey <kbyanc@posi.net>
To:        Gerald Abshez <gerald@manhattanprojects.com>
Cc:        Kris Kennaway <kris@hub.freebsd.org>, current@FreeBSD.ORG
Subject:   Re: FreeBSD security auditing project.
Message-ID:  <Pine.BSF.4.05.9911231903120.51692-100000@kronos.alcnet.com>
In-Reply-To: <383B0F03.70A84532@manhattanprojects.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 23 Nov 1999, Gerald Abshez wrote:
> Kris Kennaway wrote:
> >
> > Let me throw in some ideas..
> > 
> > I think it would be very useful to have a database which can track
> > submitted open/netbsd CVS commits (with the code diff included),
> > preferably mapped to the relevant file in the freebsd tree if possible
> > according to a path mapping table (i.e. /some/openbsd/path/file.c mapped
> > to /equiv/freebsd.path/file.c).
> 
> Here is my 0.02:
> 
> I think it would be useful to identify "unsafe" functions, so that
> anyone can participate in the "eyeball" portion of the game. This means
> that we need eyeballed, identified as a (potential) problem and fixed,
> as well as some other possiblities. There is a lot of code out there,
> and it would help if we could involve the non-programmers in the search.
> 
> Comments?
> 

  I was thinking about this on the drive home...

  * We need to break the auditing process into managable work units.

  * We need to note when a commit affects code that was believed to have
    previously been secure (so that it may be audited again).

  * We should indicate what parts of the code have been audited without
    discouraging others from double-checking if they like.

  * We would like to be able to identify and integrate security fixes
    already made by OpenBSD or NetBSD easily.

  * We would like to flag programs as suspect/insecure when they are the
    subject of bugtraq reports.

  Are there additional goals anyone else has in mind? I've got some
thoughts on implementing these, but my wife is telling me it is time to
go :) I'll share when I get back from the movies :)

  Kelly
--
Kelly Yancey  -  kbyanc@posi.net  -  Richmond, VA
Director of Technical Services, ALC Communications  http://www.alcnet.com/
Maintainer, BSD Driver Database       http://www.posi.net/freebsd/drivers/
Coordinator, Team FreeBSD        http://www.posi.net/freebsd/Team-FreeBSD/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9911231903120.51692-100000>