Date: Tue, 23 Nov 1999 21:05:25 +0200 From: Mark Murray <mark@grondar.za> To: current@freebsd.org Subject: FreeBSD security auditing project. Message-ID: <199911231905.VAA80946@gratis.grondar.za>
next in thread | raw e-mail | index | archive | help
Hello FreebSD'ers!
[ Apologies to committers, I have Bcc'ed you to ensure you got
this; you may get two copies. ]
I have been charged with the duty of ensuring that FreeBSD gets a
security audit that has the credibility of OpenBSD's.
Consider this to be a request-for-discussion that will head us over to
the actual work of getting it done.
My proposals are pretty simple;
1) We need to eyeball _all_ of the code for potential security holes,
and fix those ASAP.
2) I propose that <WE> diff(1) FreeBSD with {Open|Net}BSD, and with a
security perspective apply those bits that look relevant and that will
work. Who nose - we may even pick up some useful featurez!
I am prepared to provide a (semi-)automatic tool that folks can
submit their efforts to. (Yes, this is a group effort, we all need to
get involved and donate our Copious Free Time. All the time that is
currently invested in flamewars would be better spent here, *hint*
*hint*.) The tool will be web-based and will give a good idea of
progress, so we can even turn it into a sort of competition.
Here is a starter list of what we need to audit for:
o unsafe use of the str*(3) functions; strcat/strcpy/sprintf &c.
o unsafe buffer handling (probably better handled by str*(3)??)
o tmpfile races.
o password buffers not being zeroed fast enough
o unsafe use of command line or environment variables (?).
o unsafe passing/exposure of sensitive data.
o &c. please contribute here....
Let the discussion begin! All contributions welcome. Volunteers for the
effort (there were lots of you at FreeBSDCon) please fight your way to
the front now!
You'll need to be a $#|t-hot programmer, paranoid, and experienced in
code auditing to do the actual code review, but any other skills that
may be of use (*anything* - volunteers are most welcome!!) please come
forward with a miniresume and a proposal.
I'll get a mailing list going if this is deemed necessary.
Thanks!
M
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911231905.VAA80946>