From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:50203)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dlaor@redhat.com>) id 1RjtJJ-0004YD-Tl
	for qemu-devel@nongnu.org; Sun, 08 Jan 2012 09:01:22 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dlaor@redhat.com>) id 1RjtJI-0006EI-5F
	for qemu-devel@nongnu.org; Sun, 08 Jan 2012 09:01:21 -0500
Received: from mx1.redhat.com ([209.132.183.28]:60313)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dlaor@redhat.com>) id 1RjtJH-0006EE-SL
	for qemu-devel@nongnu.org; Sun, 08 Jan 2012 09:01:20 -0500
Message-ID: <4F09A1A6.60502@redhat.com>
Date: Sun, 08 Jan 2012 16:01:10 +0200
From: Dor Laor <dlaor@redhat.com>
MIME-Version: 1.0
References: <4F071111.6080306@us.ibm.com> <4F071C70.8070803@linux.vnet.ibm.com>
	<20120106172500.GE25451@sequoia.sous-sol.org>
In-Reply-To: <20120106172500.GE25451@sequoia.sous-sol.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [RFC] QEMU Code Audit Team
Reply-To: dlaor@redhat.com
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Chris Wright <chrisw@sous-sol.org>
Cc: Chris Wright <chrisw@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>, Corey Bryant <coreyb@linux.vnet.ibm.com>, qemu-devel <qemu-devel@nongnu.org>, Markus Armbruster <armbru@redhat.com>, Avi Kivity <avi@redhat.com>

On 01/06/2012 07:25 PM, Chris Wright wrote:
> * Corey Bryant (coreyb@linux.vnet.ibm.com) wrote:
>> Count me in for step 2.  A good approach may be to run a static
>> analysis tool against the code, followed by a manual scan of the
>> code for common vulnerabilities that static analysis can't find.
>
> Good idea.  Folks are already running things like Coverity.  The false
> positive rate is high enough that it's a lot to wade through at first
> (so extra eyes could be quite helpful here).  Perhaps the people who
> are involved in this could share some of their findings.

Markus already done a pretty extensive review and cleanup using 
Coverity. I'm not sure if he managed to cover all the real issues, have you?

btw: in case a real security flaw is detected, I like to ask the audit 
volunteering folks to report a CVE [1] and not to disclose the info till 
an embargo is raised.

I think that kvm and qemu need to have a security page like this:
http://www.webkit.org/security/

Cheers,
Dor

[1] http://oss-security.openwall.org/wiki/disclosure/cve
>
> thanks,
> -chris
>