Re: [kernel-hardening] Re: Linux Security Workgroup

[Corey Bryant <coreyb@linux.vnet.ibm.com>]

On 10/02/2012 06:17 PM, Kees Cook wrote:
> On Tue, Oct 2, 2012 at 9:44 AM, Corey Bryant <coreyb@linux.vnet.ibm.com> wrote:
>>
>>
>> On 10/02/2012 12:23 PM, Kees Cook wrote:
>>>
>>> On Thu, Sep 27, 2012 at 12:26 PM, Corey Bryant
>>> <coreyb@linux.vnet.ibm.com> wrote:
>>>>
>>>> At the Linux Security Summit we began discussing the Linux Security
>>>> Workgroup and some of the efforts that we can focus on.
>>>>
>>>> The charter of the workgroup is to provide on-going security
>>>> verification of Linux kernel subsystems in order to assist in securing
>>>> the
>>>> Linux Kernel and maintain trust and confidence in the security of the
>>>> Linux
>>>> ecosystem.
>>>>
>>>> This may include, but is not limited to, topics such as tooling to assist
>>>> in
>>>> securing the Linux Kernel, verification and testing of critical
>>>> subsystems
>>>> for vulnerabilities, security improvements for build tools, and providing
>>>> guidance for maintaining subsystem security.
>>>
>>>
>>> Thanks for getting this rolling!
>>>
>>> What are the next steps? Does it make sense to try to gather a list of
>>> active projects to try and see where things currently stand? (i.e who
>>> is actively running smatch, trinity, etc?) Or to call attention to a
>>> specific subsystem that needs direct auditing (e.g. KVM)?
>>>
>>> -Kees
>>>
>>
>> No problem, thanks for the input!
>>
>> I think having a list of active projects is a good place to start.
>
> I know Dan Carpenter is running smatch, as well as Fengguang Wu.
> Getting details on which trees are being scanned would be good.
>
> I know Fengguang Wu is running trinity too.
>
> There is a collection of coccinelle scripts in the tree, but I'm not
> sure if/when those are getting run by anyone. Julia, do you know if
> those are being regularly run?
>
>> Perhaps we can also add desired projects to this list, and if anyone has
>> cycles to cover a project they can put their name to the project.
>
> I was keeping a list of potential hardening work here:
> https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Upstream_Hardening
> some of it is out of date.
>
>> I'm personally trying to get time allocated to work on KVM fuzzing and/or
>> static analysis in 2013.
>
> Sounds good.
>
>> A wiki probably makes sense for the list.  Google sites has wikis.  I can
>> start one there unless there are other ideas.
>
> Kernel.org hosts wikis as well, and James Morris already has
> http://kernsec.org/. Perhaps we can use that? James, would this be
> something you'd be okay with?

Here's a start on the wiki.  There's not really a whole lot on it other 
than what we've discussed on the list, but it's a start.  Comments and 
updates are very much welcome.

http://kernsec.org/wiki/index.php/Linux_Security_Workgroup

A couple of questions:
  * What should the work group's scope be?  The charter mentions " ... 
on-going security verification of Linux kernel subsystems ... ".  I was 
thinking it would focus more on items like: fuzzing, static analysis, 
education for reviewing code, tooling/build security enhancements.  But 
I have a feeling it will start to include Kernel development projects too.
  * Where should we document inactive, but desired, projects?  I know 
Kees has https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening 
but I'm wondering if it makes sense to keep track of work items on the 
same wiki.

-- 
Regards,
Corey Bryant