203 lines
12 KiB
Text
203 lines
12 KiB
Text
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN" [
|
|
<!ENTITY date "$Date: 1997-02-15 13:02:18 $">
|
|
<!ENTITY title "FreeBSD Auditing Project">
|
|
<!ENTITY % includes SYSTEM "includes.sgml"> %includes;
|
|
]>
|
|
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>FreeBSD Source Auditing Project</TITLE>
|
|
<META NAME="Author" CONTENT="Jordan Hubbard">
|
|
</HEAD>
|
|
<BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000FF" VLINK="#800080" ALINK="#FF
|
|
0000">
|
|
|
|
<H1>General Information</H1>
|
|
|
|
<em>Last Updated: $Date: 1997-02-15 13:02:18 $ </em>
|
|
|
|
<H2>Overview</H2>
|
|
|
|
<P>In light of our recent (and still ongoing) security concerns, it
|
|
has become rather obvious that nothing less than a rigorous and
|
|
comprehensive security review of the FreeBSD source tree will enable
|
|
us to really have much confidence in the security of our operating
|
|
system, an OS that many have come increasingly to rely upon and must
|
|
be made more than reasonably secure if they are to continue to be able
|
|
to do so.</P>
|
|
|
|
<P>The sheer amount of legacy code & code from outside sources in
|
|
FreeBSD also makes it especially easy for security holes to go
|
|
unnoticed until it's rather too late, and no truly large-scale attempt
|
|
has been made up to this point to really go through the codebase with
|
|
a specific focus on security issues, that being a rather big project
|
|
and most FreeBSD developers being more than busy enough elsewhere.
|
|
This situation must now change, however, if we are to remain the kind
|
|
of operating system that people can continue to rely upon as the
|
|
Internet continues to grow and (I suspect) become an ever-more hostile
|
|
environment for improperly protected systems. Proper security is
|
|
something of a cooperative arrangement between the local administrator
|
|
and the OS vendor, and this "OS vendor" needs to do its part.</P>
|
|
|
|
<P>The core team's first step in becoming more serious about security
|
|
was to bring the project's security officer, <a href="mailto:guido@FreeBSD.org">
|
|
Guido van Rooij</a>, into the team so that one of the "voices at the
|
|
table" would have security as his primary mandate and representation
|
|
in all the important security mailing lists external to the FreeBSD
|
|
Project. He will also keep the rest of us in core much more aware of
|
|
security concerns as they arise, hopefully not to be taken quite so by
|
|
surprise as we have a few times in the past.</P>
|
|
|
|
<P>Our second step will be this audit, an attempt to methodically go
|
|
through every line of source in FreeBSD looking for obvious buffer
|
|
overflows (sprintf()/strcpy() vs snprintf()/strncpy() and so on), less
|
|
obvious security holes, instances of insufficiently defensive coding,
|
|
amusing comment strings to forward to freebsd-chat, whatever we run
|
|
across.</P>
|
|
|
|
<P>Using the
|
|
<a href="ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-CVS/CVSROOT/modules">
|
|
modules database</a> as an outline, we will split the source tree into
|
|
more manageable pieces, keeping a sign-up sheet in a prominent place
|
|
so that people can see which modules are covered and which are not. A
|
|
carefully selected team of individuals is now also being formed, that
|
|
team being composed of "auditors" and "reviewers" (most members of the
|
|
team being both). An auditor has principle responsibility, which may
|
|
be shared with another auditor, for actually going through the code
|
|
and looking for security holes and/or bugs. Once a reasonable pile of
|
|
diffs have been accumulated, assuming that any problems were found,
|
|
they are send to one or more reviewers who are responsible for giving
|
|
the changes another once-over and, if the auditor does not have commit
|
|
privileges, to actually commit the changes when & if they're deemed
|
|
acceptable.</P>
|
|
|
|
<H2>Requirements:</H2>
|
|
|
|
<P>In order to be an auditor, you should either have commit privileges on
|
|
<em>freefall.freebsd.org</em> or an arrangement with another auditor/reviewer
|
|
who does. You should also be running or have immediate access to
|
|
<a href="handbook/current.html">FreeBSD-current</a> sources since all of our changes
|
|
will be made relative to that branch and then brought back (as necessary)
|
|
into the <strong>2.1</strong> and <strong>2.2</strong> branches.
|
|
|
|
<P>What to look for and what the general rules to follow are is sufficiently
|
|
complex that I have turned it into a <a href="security.html">FreeBSD
|
|
Security Guide</a>. Please read this now if you haven't already.
|
|
|
|
Another excellent document is the <a
|
|
href="ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist">
|
|
Secure Programming Checklist</a>, available from AUSCERT.
|
|
|
|
<H2>Sign-Up sheet:</H2>
|
|
|
|
<P>Here is the sign-up sheet as it sits so far. This is *very* skeletal
|
|
at this stage, given that we've just now started, and as people
|
|
indicate which module(s) they're willing to either audit or review,
|
|
we'll fill it in. If this tabular format also becomes unwieldy as it
|
|
fills up, we can change it or put it on a web page or something. :)
|
|
I've left some sample entries open just as place-holders, and they in
|
|
no way imply that someone has to be willing to pick up pieces that
|
|
large.</P>
|
|
|
|
<P>Anything in the modules database represents a potential auditing
|
|
target - from ones as small as "cat" to ones as large as "lib", the
|
|
most important being that people bite off pieces no larger than they
|
|
think they can chew. If you take 15 things onto your plate and deal
|
|
with only 5, you're not doing anyone any favors since the other
|
|
auditors will be assuming that the other 10 items are handled!</P>
|
|
|
|
To sign up for something, please send mail to <a
|
|
href="mailto:jkh@FreeBSD.org"> jkh@FreeBSD.org</a>.
|
|
|
|
<P>
|
|
<TABLE border=2 cellpadding=3>
|
|
<TR><TH>Module</TH> <TH>Auditor(s)</TH> <TH>Reviewer(s)</TH> <TH>Status</TH>
|
|
<TR><TD>lib</TD> <TD>pst</TD> <TD>jkh,dg,gvr,imp</TD> <TD>Open</TD>
|
|
<TR><TD>libdisk</TD> <TD>open</TD> <TD>phk</TD> <TD>Open</TD>
|
|
<TR><TD>libexec</TD> <TD>imp,crh</TD> <TD>open</TD> <TD>Open</TD>
|
|
<TR><TD>telnetd</TD> <TD>ac,dn</TD> <TD>imp</TD> <TD>Open</TD>
|
|
<TR><TD>bin</TD> <TD>ac,gvr</TD> <TD>imp,md</TD> <TD>Open</TD>
|
|
<TR><TD>sbin</TD> <TD>taob,imp</TD> <TD>md</TD> <TD>Open</TD>
|
|
<TR><TD>usr.sbin</TD> <TD>imp,rd,marc</TD> <TD>md</TD> <TD>Open</TD>
|
|
<TR><TD>usr.bin</TD> <TD>rb,rjk,rd,jha</TD> <TD>md</TD> <TD>Open</TD>
|
|
<TR><TD>eBones</TD> <TD>mrvm</TD> <TD>open</TD> <TD>Open</TD>
|
|
<TR><TD>secure</TD> <TD>mrvm</TD> <TD>open</TD> <TD>Open</TD>
|
|
<TR><TD>games</TD> <TD>xaa,ab</TD> <TD>open</TD> <TD>Open</TD>
|
|
<TR><TD>lkm</TD> <TD>open</TD> <TD>open</TD> <TD>Open</TD>
|
|
<TR><TD>release</TD> <TD>open</TD> <TD>open</TD> <TD>Open</TD>
|
|
<TR><TD>contrib</TD> <TD>cg</TD> <TD>open</TD> <TD>Open</TD>
|
|
</TABLE>
|
|
|
|
<H2>Auditor/Reviewer keys</H2>
|
|
|
|
<P>This is the list of people who have volunteered to participate as
|
|
auditors or reviewers in this process. They may also be reached
|
|
collectively by sending mail to the <a
|
|
href="mailto:auditors@FreeBSD.org">auditors@FreeBSD.org</a> alias at
|
|
times when it is appropriate to send mail to all auditors. If you wish to
|
|
reach just the auditors & reviewers for a specific category, say for example
|
|
<strong>usr.sbin</strong>, then you would send mail to
|
|
<a href="mailto:audit-usr.sbin@FreeBSD.org">audit-<strong>usr.sbin</strong></a>.
|
|
</P>
|
|
|
|
<TABLE cellpadding=2>
|
|
<TR><TH>Key</TH> <TH>Auditor/Reviewer Name and Email address</TH>
|
|
<TR><TD>ab</TD> <TD>Aaron Bornstein <a href="mailto:aaronb@j51.com">aaronb@j51.com</a></TD>
|
|
<TR><TD>ac</TD> <TD>Adrian Chadd <a href="mailto:adrian@psinet.net.au">adrian@psinet.net.au</a></TD>
|
|
<TR><TD>ak</TD> <TD>Adam Kubicki <a href="mailto:apk@itl.waw.pl">apk@itl.waw.pl</a></TD>
|
|
<TR><TD>am</TD> <TD>Albert Mietus <a href="mailto:albert@gamp.hacom.nl">albert@gamp.hacom.nl</a></TD>
|
|
<TR><TD>avk</TD> <TD>Alexander V. Kalganov <a href="mailto:top@sonic.cris.net">top@sonic.cris.net</a></TD>
|
|
<TR><TD>bb</TD> <TD>Bob Bishop <a href="mailto:rb@gid.co.uk">rb@gid.co.uk</a></TD>
|
|
<TR><TD>bob</TD> <TD>Bob Willcox <a href="mailto:bob@luke.pmr.com">bob@luke.pmr.com</a></TD>
|
|
<TR><TD>btm</TD> <TD>Brian T. Michely <a href="mailto:brianm@cmhcsys.com">brianm@cmhcsys.com</a></TD>
|
|
<TR><TD>cg</TD> <TD>Coranth Gryphon <a href="mailto:gryphon@healer.com">gryphon@healer.com</a></TD>
|
|
<TR><TD>cl</TD> <TD>Chris Lambertus <a href="mailto:cmlambertus@ucdavis.edu">cmlambertus@ucdavis.edu</a></TD>
|
|
<TR><TD>crh</TD> <TD>Charles Henrich <a href="mailto:henrich@crh.cl.msu.edu">henrich@crh.cl.msu.edu</a></TD>
|
|
<TR><TD>dc</TD> <TD>Dan Cross <a href="mailto:tenser@spitfire.ecsel.psu.edu">tenser@spitfire.ecsel.psu.edu</a></TD>
|
|
<TR><TD>dg*</TD> <TD>David Greenman <a href="mailto:davidg@FreeBSD.org">davidg@FreeBSD.org</a></TD>
|
|
<TR><TD>din</TD> <TD>Dinesh Nair <a href="mailto:dinesh@alphaque.com">dinesh@alphaque.com</a></TD>
|
|
<TR><TD>dn</TD> <TD>David Nugent <a href="mailto:davidn@labs.usn.blaze.net.au">davidn@labs.usn.blaze.net.au</a></TD>
|
|
<TR><TD>dz</TD> <TD>Danny J. Zerkel <a href="mailto:dzerkel@phofarm.com">dzerkel@phofarm.com</a></TD>
|
|
<TR><TD>eh</TD> <TD>Elijah Hempstone <a href="mailto:avatar@gandalf.bss.sol.net">avatar@gandalf.bss.sol.net</a></TD>
|
|
<TR><TD>eh</TD> <TD>Ernest Hua <a href="mailto:hua@chromatic.com">hua@chromatic.com</a></TD>
|
|
<TR><TD>ejc</TD> <TD>Eric J. Chet <a href="mailto:ejc@gargoyle.bazzle.com">ejc@gargoyle.bazzle.com</a></TD>
|
|
<TR><TD>gl</TD> <TD>Giles Lean <a href="mailto:giles@nemeton.com.au">giles@nemeton.com.au</a></TD>
|
|
<TR><TD>gvr*</TD> <TD>Guido van Rooij <a href="mailto:guido@FreeBSD.org">guido@FreeBSD.org</a></TD>
|
|
<TR><TD>gw</TD> <TD>Graham Wheeler <a href="mailto:gram@oms.co.za">gram@oms.co.za</a></TD>
|
|
<TR><TD>imp*</TD> <TD>Warner Losh <a href="mailto:imp@FreeBSD.org">imp@FreeBSD.org</a></TD>
|
|
<TR><TD>jb</TD> <TD>Jim Bresler <a href="mailto:jfb11@inlink.com">jfb11@inlink.com</a></TD>
|
|
<TR><TD>jha</TD> <TD>John H. Aughey <a href="mailto:jha@cs.purdue.edu">jha@cs.purdue.edu</a></TD>
|
|
<TR><TD>jk</TD> <TD>Jerry Kendall <a href="mailto:Jerry@kcis.com">Jerry@kcis.com</a></TD>
|
|
<TR><TD>jkh*</TD> <TD>Jordan K. Hubbard <a href="mailto:jkh@FreeBSD.org">jkh@FreeBSD.org</a></TD>
|
|
<TR><TD>jm</TD> <TD>Josef Moellers <a href="mailto:mollers.pad@sni.de">mollers.pad@sni.de</a></TD>
|
|
<TR><TD>jmb*</TD> <TD>Jonathan M. Bresler <a href="mailto:jmb@FreeBSD.org">jmb@FreeBSD.org</a></TD>
|
|
<TR><TD>joe*</TD> <TD>Joe Greco <a href="mailto:jgreco@solaria.sol.net">jgreco@solaria.sol.net</a></TD>
|
|
<TR><TD>ki</TD> <TD>Kenneth Ingham <a href="mailto:ingham@i-pi.com">ingham@i-pi.com</a></TD>
|
|
<TR><TD>ky*</TD> <TD>Kazutaka YOKOTA <a href="mailto:yokota@zodiac.mech.utsunomiya-u.ac.jp">yokota@zodiac.mech.utsunomiya-u.ac.jp</a></TD>
|
|
<TR><TD>marc</TD> <TD>Marc Slemko <a href="mailto:marcs@znep.com">marcs@znep.com</a></TD>
|
|
<TR><TD>md</TD> <TD>Matt Dillon <a href="mailto:dillon@best.net">dillon@best.net</a></TD>
|
|
<TR><TD>mr</TD> <TD>Mike Romaniw <a href="mailto:msr@cuc.com">msr@cuc.com</a></TD>
|
|
<TR><TD>mrvm*</TD> <TD>Mark Murray <a href="mailto:mark@grondar.za">mark@grondar.za</a></TD>
|
|
<TR><TD>or*</TD> <TD>Ollivier Robert <a href="mailto:roberto@keltia.freenix.fr">roberto@keltia.freenix.fr</a></TD>
|
|
<TR><TD>pb</TD> <TD>Peter Blake <a href="mailto:ppb@baloo.tcp.co.uk">ppb@baloo.tcp.co.uk</a></TD>
|
|
<TR><TD>peter*</TD> <TD>Peter Wemm <a href="mailto:peter@FreeBSD.org">peter@FreeBSD.org</a>
|
|
<TR><TD>phk*</TD> <TD>Poul-Henning Kamp <a href="mailto:phk@FreeBSD.org">phk@FreeBSD.org</a></TD>
|
|
<TR><TD>pst*</TD> <TD>Paul Traina <a href="mailto:pst@FreeBSD.org">pst@FreeBSD.org</a></TD>
|
|
<TR><TD>rb</TD> <TD>Reinier Bezuidenhout <a href="mailto:rbezuide@oskar.nanoteq.co.za">rbezuide@oskar.nanoteq.co.za</a></TD>
|
|
<TR><TD>rd</TD> <TD>Rajiv Dighe <a href="mailto:rajivd@sprynet.com">rajivd@sprynet.com</a></TD>
|
|
<TR><TD>rel</TD> <TD>Roger Espel Llima <a href="mailto:espel@llaic.univ-bpclermont.fr">espel@llaic.univ-bpclermont.fr</a></TD>
|
|
<TR><TD>rjk</TD> <TD>Richard J Kuhns <a href="mailto:rjk@grauel.com">rjk@grauel.com</a>
|
|
<TR><TD>rm</TD> <TD>Robin Melville <a href="mailto:robmel@nadt.org.uk">robmel@nadt.org.uk</a></TD>
|
|
<TR><TD>rs</TD> <TD>Robert Sexton <a href="mailto:robert@kudra.com">robert@kudra.com</a></TD>
|
|
<TR><TD>sc</TD> <TD>Sergei Chechetkin <a href="mailto:csl@whale.sunbay.crimea.ua">csl@whale.sunbay.crimea.ua</a></TD>
|
|
<TR><TD>tao</TD> <TD>Brian Tao <a href="mailto:taob@risc.org">taob@risc.org</a></TD>
|
|
<TR><TD>tdr</TD> <TD>Thomas David Rivers <a href="mailto:ponds!rivers@dg-rtp.dg.com">ponds!rivers@dg-rtp.dg.com</a></TD>
|
|
<TR><TD>witr</TD> <TD>Robert Withrow <a href="mailto:witr@rwwa.com">witr@rwwa.com</a></TD>
|
|
<TR><TD>xaa</TD> <TD>Mark Huizer <a href="mailto:xaa@stack.nl">xaa@stack.nl</a></TD>
|
|
</TABLE>
|
|
|
|
<h3>* = Has CVS commit privileges.</h3>
|
|
|
|
&footer;
|
|
</BODY>
|
|
</HTML>
|