From mboxrd@z Thu Jan  1 00:00:00 1970
Reply-To: kernel-hardening@lists.openwall.com
Date: Fri, 1 Feb 2013 18:17:06 +0400
From: Solar Designer <solar@openwall.com>
Message-ID: <20130201141705.GA23051@openwall.com>
References: <510A8F11.6050908@linux.vnet.ibm.com> <CAGXu5jLk6-OHdZP7wQapv1dzK39k8w6ioB_6QtJ5GvP0ZWHzcw@mail.gmail.com> <510ADDAB.3010500@linux.vnet.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <510ADDAB.3010500@linux.vnet.ibm.com>
Subject: Re: [kernel-hardening] Secure Open Source Project Guide
To: kernel-hardening@lists.openwall.com
Cc: Corey Bryant <coreyb@linux.vnet.ibm.com>, Kees Cook <keescook@chromium.org>, Anthony Liguori <aliguori@us.ibm.com>, Frank Novak <fnovak@us.ibm.com>, George Wilson <gcwilson@us.ibm.com>, Joel Schopp <jschopp@linux.vnet.ibm.com>, Kevin Wolf <kwolf@redhat.com>, Warren Grunbok II <wgrunbok@vnet.ibm.com>
List-ID: <kernel-hardening.lists.openwall.com>

Corey, Kees, all -

Why don't we bring this to the oss-security mailing list?  I think this
topic is not in any way specific nor limited to the Linux kernel.  There
are ~10x more people on oss-security than on kernel-hardening, and this
topic is a better fit for oss-security than for kernel-hardening.  There
is a wiki for the oss-security group, where such content is welcome.
Anyone can register for an account and edit.

Info on the oss-security mailing list:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Subscribe here:

http://oss-security.openwall.org/subscribe

(Of course, Kees and many others in here are already on oss-security as
well.  Not all, though.)

On Thu, Jan 31, 2013 at 04:10:03PM -0500, Corey Bryant wrote:
> We should probably start by gathering a list of ideas to include in the 
> guide.  Some initial ideas that come to mind are:
> 
> * Secure programming practices (Secure "Programming for Linux
>   and Unix HOWTO" is a good reference for Linux though probably
>   out of date)

CERT's Secure Coding resources are more current, but they're focused on
programming languages and I think they don't cover operating system
specific pitfalls (e.g., Linux netlink).

> * Performing secure code reviews and detecting common
>   vulnerabilities
> * Ensuring code is reviewed by trusted parties and proper patch
>   tagging is used
> * Signing of releases, pull requests, patches, commits, etc by
>   trusted parties
> * Removing vulnerabilities with automated tooling (Static/Dynamic
>   analysis, Fuzzing)

We have some relevant links here:

http://oss-security.openwall.org/wiki/

and more specifically:

http://oss-security.openwall.org/wiki/tools
http://oss-security.openwall.org/wiki/links
http://oss-security.openwall.org/wiki/code-reviews

More content (and better organization of content) on the oss-security
wiki is welcome - including on all topics you listed above.

Thanks,

Alexander