From: Dor Laor <dlaor@redhat.com>
To: Chris Wright <chrisw@sous-sol.org>
Cc: Chris Wright <chrisw@redhat.com>,
Anthony Liguori <aliguori@us.ibm.com>,
Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>,
Corey Bryant <coreyb@linux.vnet.ibm.com>,
qemu-devel <qemu-devel@nongnu.org>,
Markus Armbruster <armbru@redhat.com>,
Avi Kivity <avi@redhat.com>
Subject: Re: [Qemu-devel] [RFC] QEMU Code Audit Team
Date: Sun, 08 Jan 2012 16:01:10 +0200 [thread overview]
Message-ID: <4F09A1A6.60502@redhat.com> (raw)
In-Reply-To: <20120106172500.GE25451@sequoia.sous-sol.org>
On 01/06/2012 07:25 PM, Chris Wright wrote:
> * Corey Bryant (coreyb@linux.vnet.ibm.com) wrote:
>> Count me in for step 2. A good approach may be to run a static
>> analysis tool against the code, followed by a manual scan of the
>> code for common vulnerabilities that static analysis can't find.
>
> Good idea. Folks are already running things like Coverity. The false
> positive rate is high enough that it's a lot to wade through at first
> (so extra eyes could be quite helpful here). Perhaps the people who
> are involved in this could share some of their findings.
Markus already done a pretty extensive review and cleanup using
Coverity. I'm not sure if he managed to cover all the real issues, have you?
btw: in case a real security flaw is detected, I like to ask the audit
volunteering folks to report a CVE [1] and not to disclose the info till
an embargo is raised.
I think that kvm and qemu need to have a security page like this:
http://www.webkit.org/security/
Cheers,
Dor
[1] http://oss-security.openwall.org/wiki/disclosure/cve
>
> thanks,
> -chris
>
next prev parent reply other threads:[~2012-01-08 14:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-06 15:19 [Qemu-devel] [RFC] QEMU Code Audit Team Anthony Liguori
2012-01-06 16:01 ` Stefan Hajnoczi
2012-01-06 16:14 ` Stefan Weil
2012-01-06 16:08 ` Corey Bryant
2012-01-06 17:25 ` Chris Wright
2012-01-08 14:01 ` Dor Laor [this message]
2012-01-08 16:54 ` Stefan Hajnoczi
2012-01-06 17:37 ` Chris Wright
2012-01-06 20:02 ` Andreas Färber
2012-01-06 20:42 ` Anthony Liguori
2012-01-07 3:09 ` Peter Maydell
2012-01-07 10:42 ` Stefan Hajnoczi
2012-01-10 12:58 ` Kevin Wolf
2012-01-10 13:22 ` Anthony Liguori
2012-01-10 13:33 ` Kevin Wolf
2012-01-10 13:39 ` Andreas Färber
2012-01-10 14:55 ` Kevin Wolf
2012-01-10 15:41 ` Peter Maydell
2012-01-10 16:31 ` Andreas Färber
2012-01-10 14:21 ` Anthony Liguori
2012-01-10 3:31 ` Zhi Yong Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F09A1A6.60502@redhat.com \
--to=dlaor@redhat.com \
--cc=aliguori@us.ibm.com \
--cc=armbru@redhat.com \
--cc=avi@redhat.com \
--cc=chrisw@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=coreyb@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.