From owner-freebsd-current Tue Nov 23 16:15:24 1999 Delivered-To: freebsd-current@freebsd.org Received: from kronos.alcnet.com (kronos.alcnet.com [63.69.28.22]) by hub.freebsd.org (Postfix) with ESMTP id C2D6514D96; Tue, 23 Nov 1999 16:15:21 -0800 (PST) (envelope-from kbyanc@posi.net) X-Provider: ALC Communications, Inc. http://www.alcnet.com/ Received: from localhost (kbyanc@localhost) by kronos.alcnet.com (8.9.3/8.9.3/antispam) with ESMTP id TAA51837; Tue, 23 Nov 1999 19:13:40 -0500 (EST) Date: Tue, 23 Nov 1999 19:13:40 -0500 (EST) From: Kelly Yancey X-Sender: kbyanc@kronos.alcnet.com To: Gerald Abshez Cc: Kris Kennaway , current@FreeBSD.ORG Subject: Re: FreeBSD security auditing project. In-Reply-To: <383B0F03.70A84532@manhattanprojects.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 23 Nov 1999, Gerald Abshez wrote: > Kris Kennaway wrote: > > > > Let me throw in some ideas.. > > > > I think it would be very useful to have a database which can track > > submitted open/netbsd CVS commits (with the code diff included), > > preferably mapped to the relevant file in the freebsd tree if possible > > according to a path mapping table (i.e. /some/openbsd/path/file.c mapped > > to /equiv/freebsd.path/file.c). > > Here is my 0.02: > > I think it would be useful to identify "unsafe" functions, so that > anyone can participate in the "eyeball" portion of the game. This means > that we need eyeballed, identified as a (potential) problem and fixed, > as well as some other possiblities. There is a lot of code out there, > and it would help if we could involve the non-programmers in the search. > > Comments? > I was thinking about this on the drive home... * We need to break the auditing process into managable work units. * We need to note when a commit affects code that was believed to have previously been secure (so that it may be audited again). * We should indicate what parts of the code have been audited without discouraging others from double-checking if they like. * We would like to be able to identify and integrate security fixes already made by OpenBSD or NetBSD easily. * We would like to flag programs as suspect/insecure when they are the subject of bugtraq reports. Are there additional goals anyone else has in mind? I've got some thoughts on implementing these, but my wife is telling me it is time to go :) I'll share when I get back from the movies :) Kelly -- Kelly Yancey - kbyanc@posi.net - Richmond, VA Director of Technical Services, ALC Communications http://www.alcnet.com/ Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message