RE: where to start?

[Mathijs Mohlmann <mathijs@knoware.nl>]

On 09-Jun-2000 Rik van Riel wrote:
> 4) other, non-security bugs in the code .. no doubt we'll
>    encounter these when we take a closer look at the code
>    (also, these could be outside of the scope of this
>    project ???)

I disagree here. Especially the bugs that look save in the 
beginning turn out te be security bugs. One strong point in
the OpenBSD audit was/is that every bug was fixed. There have
been a number of times, where security bugs in other BSDs 
where found and OpenBSD turned out to be save because they
fixed a seemingly hardless bug. (see there webpage)

Which brings me to my next question. How far should we go? 
Imagine a function that just can't take a null pointer as
argument. Every caller checks to make sure that no null 
pointer is passed. Should we introduce in extra sanity check
in that function to make absolutly sure? If we do that we
prevent a lot of future bugs from happening. On the other 
hand we can forget about mainstream kernel inclusion.

What is out goal? Writing an as-secure-as-possible kernel 
or an as-secure-as-alan-will-let-us kernel?

        me

By the way, i think the tcp/ip code needs a good looking 
over. A lot of DoS attacks have been seen here.

Kernel-audit:  discussion list for security and the linux kernel
Archive:       http://mail.nl.linux.org/kernel-audit/