RE: A place to start

From owner-kernel-audit@nl.linux.org Fri Jun 9 07:34:48 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 07:34:36 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:28070 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Fri, 9 Jun 2000 07:34:06 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id BAA28424 for ; Fri, 9 Jun 2000 01:34:04 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: Mission statement for LKAP(rough draft) Date: Fri, 9 Jun 2000 00:29:56 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00060900302703.01508@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list ######################### kernel auditing project ########################### This is a mission statement for a project under way and ready to get going. The Linux kernel auditing project(LKAP). The purpose of this project is self-explanatory. It's an attempt to audit the linux kernel for any security vulnerabilities and/or holes and/or possible vulnerabilities and/or possible holes, and of course without adding more bugs or drawbacks to the existing kernels. The suggested kernels to be audited are 2.0.x kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series. The group and it's work shall be dealt and worked with via a mailing list. See #EOF on how to subscribe. I feel that this project should have been done a long time ago, not to imply that linux kernel is insecure, but for example the setuid() hole found on June 7 which affected all 2.2.x kernels. This bug was patched in a matter of hours (isn't open source great!). But here's the point, the flaw/function/hole should _NOT_ have existed in the first place. Which is where this project comes into place. There's a few things that differ from this project compared to a few others that are similar. 1) To audit the kernel src code without affecting/breaking/disrupting any other part of the kernel. These will not be additional patches you can downloads (add-ons). This auditing is dealing with the current code in the src, not adding or implementing new functions. 2) To educate kernel developers/hackers on how to securely write code. It is my hopes that kernel developers/hackers new and old will subscribe and post to this mailing list with questions and to share information, and to simply get help with their code(e.g.: Could this function() cause a possible security hole or lead to an exploit ?"), this is the true power of open source and GNU/Linux 3) To be ahead of the game... A perfect example of this are certain proprietary Operating Systems who sit around and wait for a security bug to come to them and not go to bug themselves. Of course this needs no explanation as to why this never works. I feel that kernel developers/hackers are down to earth and pretty logical people and realize that Linux is _NOT_ perfect, that a lot of the code they write, submit, and gets plugged into the kernel is not flawless and more than likely could be improved for security reasons. 4) To provide an operating system to the public. I want to see a linux where the sysadmin doesn't have to watch his back all the time in fear of say some new knfsd exploit or a way to fork()bomb his/her router via a simple mistake in buffer.c 5) To provide a safe linux to the end-user.. Linux is slowly but surely becoming a choice for the desktop user. Most of these users are walking into linux with no knowledge of what potential dangers lie at their finger tips and in their hard drive. Linux has proven to be one of the most secure operating systems, but I feel as linux becomes more popular with the general public this will change, that more kernel security holes and exploits will arise from nowhere and give us a very unpleasant reality check. And at last, this will be no easy project, security auditing never is. It takes man power, skill, and just plain aching time. But I believe if the community of gets together on this one, nothing will stop us and Linux will go on to become the #1 security wise operating system to do this date. Sincerely Bryan Paxton How to subscribe: echo subscribe kernel-audit | mail majordomo@nl.linux.org -- Bryan Paxton "I don't need to sleep or eat, I'll smoke a thousand cigarettes." - Sebadoh Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 07:43:29 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 07:43:17 +0200 Received: from brutus.conectiva.com.br ([200.250.58.146]:13816 "EHLO duckman.distro.conectiva") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Jun 2000 07:42:46 +0200 Received: from localhost (riel@localhost) by duckman.distro.conectiva (8.9.3/8.8.7) with ESMTP id CAA26829; Fri, 9 Jun 2000 02:42:29 -0300 X-Authentication-Warning: duckman.distro.conectiva: riel owned process doing -bs Date: Fri, 9 Jun 2000 02:42:29 -0300 (BRST) From: Rik van Riel X-Sender: riel@duckman.distro.conectiva To: Bryan Paxton cc: kernel-audit@nl.linux.org Subject: Re: Mission statement for LKAP(rough draft) In-Reply-To: <00060900302703.01508@sQa.speedbros.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Fri, 9 Jun 2000, Bryan Paxton wrote: > This is a mission statement for a project under way and ready to > get going. The Linux kernel auditing project(LKAP). It is? If it isn't, please don't lie... :) > The purpose of this project is self-explanatory. It's an attempt > to audit the linux kernel for any security vulnerabilities > and/or holes and/or possible vulnerabilities and/or possible > holes, and of course without adding more bugs or drawbacks to > the existing kernels. The suggested kernels to be audited are > 2.0.x kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x > kernel series. The group and it's work shall be dealt and worked > with via a mailing list. See #EOF on how to subscribe. Sounds good. Maybe you want to put the subscription info both here and at the end of the mail? [snip good reasons] Also, you may want to line-wrap your email at 72 columns :) Other than these minor gripes, I think your announcement is ready for the world ;) regards, Rik -- The Internet is not a network of computers. It is a network of people. That is its real strength. Wanna talk about the kernel? irc.openprojects.net / #kernelnewbies http://www.conectiva.com/ http://www.surriel.com/ Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 07:56:11 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 07:55:55 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:57784 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Fri, 9 Jun 2000 07:55:20 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id BAA11511; Fri, 9 Jun 2000 01:55:16 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: securedistros@nl.linux.org, security-audit@ferret.lmh.ox.ac.uk, lwn@lwn.net, linux-security@redhat.com, seifried@securityportal.com, BUGTRAQ@SECURITYFOCUS.COM Subject: Mission statement for LKAP(Linux Kernel Auditing Project) Date: Fri, 9 Jun 2000 00:43:30 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain Cc: kernel-audit@nl.linux.org, kernelnewbies@nl.linux.org MIME-Version: 1.0 Message-Id: <00060900513906.01508@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list ######################### kernel auditing project ########################### This is a mission statement for a project under way and ready to get going. The Linux kernel auditing project(LKAP). The purpose of this project is self-explanatory. It's an attempt to audit the linux kernel for any security vulnerabilities and/or holes and/or possible vulnerabilities and/or possible holes, and of course without adding more bugs or drawbacks to the existing kernels. The suggested kernels to be audited are 2.0.x kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series. The group and it's work shall be dealt and worked with via a mailing list. How to subscribe: echo subscribe kernel-audit | mail majordomo@nl.linux.org I feel that this project should have been done a long time ago, not to imply that the linux kernel is insecure, but for example the setuid() hole found on June 7 which affected all 2.2.x kernels. This bug was patched in a matter of hours (isn't open source great!). But here's the point, the flaw/function/hole should _NOT_ have existed in the first place. Which is where this project comes into place. There's a few things that differ from this project compared to a few others that are similar. 1) To audit the kernel src code without affecting/breaking/disrupting any other part of the kernel. These will not be additional patches you can downloads (add-ons). This auditing is dealing with the current code in the src, not adding or implementing new functions. 2) To educate kernel developers/hackers on how to securely write code. It is my hopes that kernel developers/hackers new and old will subscribe and post to this mailing list with questions and share information, and to simply get help with their code(e.g.: Could this function() cause a possible security hole or lead to an exploit ?"), this is the true power of open source and GNU/Linux 3) To be ahead of the game... A perfect example of this are certain proprietary Operating Systems who sit around and wait for a security bug to come to them and not go to bug themselves. Of course this needs no explanation as to why this never works. I feel that kernel developers/hackers are down to earth and pretty logical people and realize that Linux is _NOT_ perfect, that a lot of the code they write, submit, and gets plugged into the kernel is not flawless and more than likely could be improved for security reasons. 4) To provide an operating system to the public. I want to see a linux where the sysadmin doesn't have to watch his back all the time in fear of say some new knfsd exploit or a way to fork()bomb his/her router via a simple mistake in buffer.c 5) To provide a safe linux to the end-user.. Linux is slowly but surely becoming a choice for the desktop user. Most of these users are walking into linux with no knowledge of what potential dangers lie at their finger tips and in their hard drive. Linux has proven to be one of the most secure operating systems, but I feel as linux becomes more popular with the general public this will change, that more kernel security holes and exploits will arise from nowhere and give us a very unpleasant reality check. And at last, this will be no easy project, security auditing never is. It takes man power, skill, and just plain aching time. But I believe if the community of gets together on this one, nothing will stop us and Linux will go on to become the #1 security wise operating system to do this date. Sincerely Bryan Paxton How to subscribe: echo subscribe kernel-audit | mail majordomo@nl.linux.org Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 12:37:55 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 12:37:39 +0200 Received: from mail0.bna.bellsouth.net ([205.152.150.12]:46007 "EHLO mail0.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Fri, 9 Jun 2000 12:37:18 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail0.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id GAA08980 for ; Fri, 9 Jun 2000 06:37:14 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: Letter to the subscribed Date: Fri, 9 Jun 2000 05:25:41 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00060905333600.05226@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Hi everyone....... I'm sure most of you already read the my mission statement and know what the goal of this mailing list. is. I would just like to say thank you for your interest in making the Linux kernel more secure. A brief note on encouragement: I urge everyone not to hesistate on asking questions, suggesting ideas and patches, and sharing of information. I know starting the first thread is always an itchy feeling, especially for mailing list of this sort, but don't be shy... Even if you think your question/idea/patch is silly. Even if you don't know how to code(personally I don't) and have something to say, step forward and say it.. Remember voice == power. May the src be with you and the threading begin.... -- Bryan Paxton "I don't need to sleep or eat, I'll smoke a thousand cigarettes." - Sebadoh Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 18:31:17 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 18:31:03 +0200 Received: from shafik-1.dsl.speakeasy.net ([216.254.73.173]:63241 "EHLO shafik.net") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Jun 2000 18:30:37 +0200 Received: from localhost (shafik@localhost) by shafik.net (8.9.3/8.9.3) with ESMTP id MAA19986 for ; Fri, 9 Jun 2000 12:27:27 -0400 Date: Fri, 9 Jun 2000 16:27:27 +0000 (/etc/localtime) From: shafik@shafik.net To: kernel-audit@nl.linux.org Subject: Hello out there! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I am pretty excited about this list, I am currently working on my Master's thesis in Intrusion Detection and I am learning the kernel to build a proof of concept of some ideas I have. Since I have a strong interest in security in general and I need to learn the kernel as intimately as I can, this project came at a good time for me at least. I usually learn the best by just diving into a project. BTW, is there a web page up yet? Do you guys need in helping getting the project rolling, if so what? ========================================================================== --"the more you know and understand the more you must know and understand .. knowledge is an unsatiable hunger .. which makes life easier and at the same time harder .... knowledge is a paradox w/ no resolution just a boundless function of human nature .... knowledge is a trap which we embrace and which we run away from .... and in the end the only escape is death .... or maybe not "-- ========================================================================== -Unite for Java! - http://www.javalobby.org- -This message transmitted on 100% recycled electrons- -Save the whales, Feed the hungry, Free the mallocs- Two cats on a roof, Which one falls off first? The one with the smaller mew. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 19:42:29 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 19:42:05 +0200 Received: from brutus.conectiva.com.br ([200.250.58.146]:22256 "EHLO duckman.distro.conectiva") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Jun 2000 19:41:39 +0200 Received: from localhost (riel@localhost) by duckman.distro.conectiva (8.9.3/8.8.7) with ESMTP id OAA32692; Fri, 9 Jun 2000 14:40:47 -0300 X-Authentication-Warning: duckman.distro.conectiva: riel owned process doing -bs Date: Fri, 9 Jun 2000 14:40:47 -0300 (BRST) From: Rik van Riel X-Sender: riel@duckman.distro.conectiva To: shafik@shafik.net cc: kernel-audit@nl.linux.org Subject: Re: Hello out there! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Fri, 9 Jun 2000 shafik@shafik.net wrote: > I am pretty excited about this list, I am currently > working on my Master's thesis in Intrusion Detection and I am > learning the kernel to build a proof of concept of some ideas I > have. Cool... > BTW, is there a web page up yet? Do you guys need in > helping getting the project rolling, if so what? I can provide you people with a virtualhost under nl.linux.org or kernelnewbies.org, web space, and all the other things you might need for an online presence. Brian? What direction do you want to take this project? What do you want to organise? regards, Rik -- The Internet is not a network of computers. It is a network of people. That is its real strength. Wanna talk about the kernel? irc.openprojects.net / #kernelnewbies http://www.conectiva.com/ http://www.surriel.com/ Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 20:56:10 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 20:55:46 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:51596 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Fri, 9 Jun 2000 20:55:27 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id OAA21989 for ; Fri, 9 Jun 2000 14:55:25 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: LKAP webpage Date: Fri, 9 Jun 2000 13:46:34 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00060913514503.00545@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I given this a second thought due to some feedback I got. Everyone is welcome to work on a webpage for LKAP Simple rules to follow: 1) Keep it simple 2) it's gotta be pretty : ) 3) informative, yet still easy to understand and look at. Nothing to complex or fancy 4) Don't argue with other people that will work on this. try to come to an agreement. So, when ya got something.... post a url where your work can be viewed at. -- Bryan Paxton "I don't need to sleep or eat, I'll smoke a thousand cigarettes." - Sebadoh Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 22:09:42 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 22:09:19 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:57591 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Jun 2000 22:08:47 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id QAA21755 for ; Fri, 9 Jun 2000 16:08:45 -0400 (EDT) Date: Fri, 9 Jun 2000 15:05:05 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: CAP_SETUID, does is have a family in the kernel ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I thought I would touch on the recent CAP_SETUID bug/hole in the kernel. Better to start at the most recent problem IMHO. As you know this affects kernels < 2.2.16 and 2.3.x kernels(with the acception of -ac11). A good explanation of to exploit this and/or how it works can be found at http://sendmail.net/?feed=000607linuxbug#two Could this possibly have a cousin lying around else where in the kernel ? I think so, the probality of something like this having cousin is very high. The critical value of stomping this out is also high. So I issue a first task: To audit the kernels 2.2.x and 2.3.x for a cousin or a function() similar. But where does everyone begin ? I feel that a security audit divided into sections will benifit more than everyman for his own diving into various parts of the kernel. Where do I personally think we should start ? /usr/src/linux*/fs/ Where better to start than fs, particulary with our devil friend NFS. All flame/feedback/whatever is encouraged. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 22:10:50 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 22:10:33 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:24057 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Jun 2000 22:09:56 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id QAA23126; Fri, 9 Jun 2000 16:09:53 -0400 (EDT) Date: Fri, 9 Jun 2000 15:06:13 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: linux-kernel@vger.rutgers.edu cc: kernel-audit@nl.linux.org Subject: Mission statement for LKAP(Linux kernel auditing project) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list This is a mission statement for a project under way and ready to get going. The Linux Kernel Auditing Project (LKAP). The purpose of this project is self-explanatory. It's an attempt to audit the Linux kernel for any security vulnerabilities and/or holes and/or possible vulnerabilities and/or possible holes, and of course without adding more bugs or drawbacks to the existing kernels. The suggested kernels to be audited are 2.0.x kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series. The group and it's work shall be dealt and worked with via a mailing list. How to subscribe: echo subscribe kernel-audit | mail majordomo@nl.Linux.org I feel that this project should have been done a long time ago, not to imply that the Linux kernel is insecure, but a case in which this project would've helped would be the setuid() hole found on June 7 which affected all 2.2.x kernels. This bug was patched in a matter of hours (isn't open source great!). But here's the point, the flaw/function/hole should _NOT_ have existed in the first place. Which is where this project comes into place. There's a few things that differ from this project compared to a few others that are similar. 1) To audit the kernel source code without affecting/breaking/disrupting any other part of the kernel. These will not be additional patches you can downloads (add-ons). This auditing is dealing with the current code in the source, not adding or implementing new functions. 2) To educate kernel developers/hackers on how to securely write code. It is my hopes that kernel developers/hackers new and old will subscribe and post to this mailing list with questions and share information, and to simply get help with their code(e.g.: Could this function() cause a possible security hole or lead to an exploit ?"), this is the true power of open source and GNU/Linux 3) To be ahead of the game... A perfect example of this are certain proprietary Operating System developers who sit around and wait for a security bug to come to them and not go to find the bug themselves. Of course this needs no explanation as to why this never works. I feel that kernel developers/hackers are down to earth and pretty logical people and realize that Linux is _NOT_ perfect, that a lot of the code they write, submit, and gets plugged into the kernel is not flawless and more than likely could be improved for security reasons. 4) To provide an operating system to the public. I want to see a Linux where the sysadmin doesn't have to watch his back all the time in fear of say some new knfsd exploit or a way to fork()bomb his/her router via a simple mistake in buffer.c 5) To provide a safe Linux to the end-user.. Linux is slowly but surely becoming a choice for the desktop user. Most of these users are walking into Linux with no knowledge of what potential dangers lie at their finger tips and in their hard drive. Linux has proven to be one of the most secure operating systems, but I feel as Linux becomes more popular with the general public this will change, that more kernel security holes and exploits will arise from nowhere and give us a very unpleasant reality check. And at last, this will be no easy project, security auditing never is. It takes man power, skill, and just plain aching time. But I believe if the community gets together on this one, nothing will stop us and Linux will go on to become the #1 security-wise operating system to this date. Sincerely Bryan Paxton How to subscribe: echo subscribe kernel-audit | mail majordomo@nl.Linux.org Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 23:09:04 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 23:08:38 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:34504 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Jun 2000 23:08:06 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id RAA02468 for ; Fri, 9 Jun 2000 17:08:05 -0400 (EDT) Date: Fri, 9 Jun 2000 16:04:25 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: #kernel-audit on irc.openprojects.net Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I've set up a channel for this mailing list. Sometimes it's good for on the fly discussion, then again sometimes it's not. We'll find out : ) connect to irc.openprojects.net with your favorite irc client /join #kernel-audit Bryan Paxton Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Fri Jun 9 23:34:23 2000 Received: by humbolt.nl.linux.org id ; Fri, 9 Jun 2000 23:33:59 +0200 Received: from 24.66.222.70.ab.wave.home.com ([24.66.222.70]:17426 "EHLO mail.com") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Jun 2000 23:33:32 +0200 Received: (from rayl@localhost) by mail.com (8.9.3/8.9.3) id PAA04756 for kernel-audit@nl.linux.org; Fri, 9 Jun 2000 15:33:26 -0600 Date: Fri, 9 Jun 2000 15:33:26 -0600 From: Ray L To: kernel-audit@nl.linux.org Subject: OpenBSD Message-ID: <20000609153326.G1970@optitech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list hi folks just heard about this list, and it sounds like a great idea. i think OpenBSD has done this exact thing a few years back, and has been actively auditing code changes ever since with good results. it may be worth investigating their approach. they do have a wider scope since they also audit the entire userspace codebase. -- ----------------------------------------------------------------------------- Ray Lehtiniemi (rayl@mail.com) (rayl@optitech.com) Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 00:18:15 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 00:17:57 +0200 Received: from ip172.gte26.rb1.bel.nwlink.com ([207.202.207.172]:28676 "EHLO speedbros.org") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 00:17:17 +0200 Received: from jasonc by speedbros.org with local (Exim 3.12 #1 (Debian)) id 130X5R-0000UT-00 for ; Fri, 09 Jun 2000 15:17:09 -0700 Date: Fri, 9 Jun 2000 15:17:09 -0700 To: kernel-audit@nl.linux.org Subject: Re: Mission statement for LKAP(Linux kernel auditing project) Message-ID: <20000609151709.A1877@speedbros.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i In-Reply-To: ; from evil7@bellsouth.net on Fri, Jun 09, 2000 at 03:06:13PM -0500 From: Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list If anyone cares, I have put up a quick little webpage hack of the mission statment and will be adding more to it later as time goes on(and if i have any..) its at http://www.nixed.net/doc2.html ANY comments suggestion etc.. let me/list know.. Jason aka slaker Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 00:25:16 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 00:24:53 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:32165 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Sat, 10 Jun 2000 00:24:27 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id SAA24423; Fri, 9 Jun 2000 18:24:23 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: , kernel-audit@nl.linux.org Subject: Re: Mission statement for LKAP(Linux kernel auditing project) Date: Fri, 9 Jun 2000 17:20:20 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: <20000609151709.A1877@speedbros.org> In-Reply-To: <20000609151709.A1877@speedbros.org> MIME-Version: 1.0 Message-Id: <00060917203807.00783@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Good work so far : ) On Fri, 09 Jun 2000, jasonc@speedbros.org wrote: > If anyone cares, I have put up a quick little webpage hack of the mission statment and will be adding more to it later as time goes on(and if i have any..) its at http://www.nixed.net/doc2.html > > ANY comments suggestion etc.. let me/list know.. > > > Jason > aka slaker > > > Kernel-audit: discussion list for security and the linux kernel > Archive: http://mail.nl.linux.org/kernel-audit/ -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 01:00:06 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 00:59:43 +0200 Received: from brutus.conectiva.com.br ([200.250.58.146]:52980 "EHLO conectiva.com.br") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 00:59:14 +0200 Received: from localhost (riel@localhost) by conectiva.com.br (8.9.3/8.8.7) with ESMTP id TAA02568 for ; Fri, 9 Jun 2000 19:59:07 -0300 Date: Fri, 9 Jun 2000 19:59:07 -0300 (BRST) From: Rik van Riel X-Sender: riel@duckman.distro.conectiva To: kernel-audit@nl.linux.org Subject: where to start? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Hi, this list seems to have gathered about 100 people now, presumably all interested in squishing out some bugs from the Linux kernel. What I'm curious about is which bugs people would be worried about. Which bugs *should* we worry about? AFAICS we should encounter 4 types of bugs when searching through the code: 1) "crashme" bugs, system calls and other places where the kernel crashes when confronted with faulty data 2) security bugs, exploiting bugs in the code, a user is able to gain priveledges the user should not have (eg. the CAP_SETUID bug ... would there be more of these in the capability code???) 3) stability bugs where the user can "exploit" some special situation to make the kernel behave badly or crash (eg. write to a file you're truncating, confusing buffer.c and various other places) 4) other, non-security bugs in the code .. no doubt we'll encounter these when we take a closer look at the code (also, these could be outside of the scope of this project ???) Bugs of category 1) and 3) could be found by non-programmers too, by simply stressing the machine heavily until a bug is hit. Typical "overload tests" and crashme could be of help in this. Category 2), though, will require people to take a look at the code and actually audit code paths in the kernel. This will be more difficult work, but more fun for some of us. In the process of looking for category 2) bugs, we'll probably also uncover some bugs of category 4) ... I guess some of the first steps we could take are: - collecting some programs and test scripts to look for 1) and 3) bugs .. and to make it easy for non-programmers to setup their box as stress-test machine - identify "suspect" areas of the kernel that should be looked at in more detail Does anybody have some ideas on where we should start? Web hosting and other stuff can be done on nl.linux.org, so no need to worry about needed facilities... regards, Rik -- The Internet is not a network of computers. It is a network of people. That is its real strength. Wanna talk about the kernel? irc.openprojects.net / #kernelnewbies http://www.conectiva.com/ http://www.surriel.com/ Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 01:35:19 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 01:34:54 +0200 Received: from mail2.bna.bellsouth.net ([205.152.150.14]:47088 "EHLO mail2.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Sat, 10 Jun 2000 01:34:29 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail2.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id TAA14160 for ; Fri, 9 Jun 2000 19:34:27 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: Fwd: Re: where to start? Date: Fri, 9 Jun 2000 18:30:21 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <0006091830460A.00783@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I agree with everything that you have posted. revising on my previous post: as I stated I think the first place to look would be in fs/ Not only could the coders do this, but the stress testers as well, via exploits. Maybe dig up an old knfsd exploit againt the kernel it was written for, see how the exploit worked/works. Then compare the code to the current nfs src code in the kernel. > > Bugs of category 1) and 3) could be found by non-programmers > too, by simply stressing the machine heavily until a bug is > hit. Typical "overload tests" and crashme could be of help in > this. See above > > Category 2), though, will require people to take a look at the > code and actually audit code paths in the kernel. This will be > more difficult work, but more fun for some of us. In the process > of looking for category 2) bugs, we'll probably also uncover > some bugs of category 4) ... > This is the tough part. What I propose is section by section of the kernel. Lets look at some of the old kernels and their bugs and once again compare it to current src code. Find bugs... improve the code. And yes I again I propose that this 'section by section' idea be started in fs/ > I guess some of the first steps we could take are: > - collecting some programs and test scripts to look for > 1) and 3) bugs .. and to make it easy for non-programmers > to setup their box as stress-test machine > - identify "suspect" areas of the kernel that should be > looked at in more detail > Some places where you can get old scripts and exploits: rootshell.com, packetstorm.securify.com, and securityfocus.com Don't take any exploit code or text for granted. It all matters in the improvement of the kernel Final words: Though I do suggest a 'section by section' this is only a sugestion... If you feel you're better in mm/ then by all means go for it. And always remember to express yourself freely on this list : ) Aside from fs/ Why don't we start in mm/ as I see this as a critical area of security audit. Nothing worse than getting buffer overflowed and having a production server go down that over 10,000 people rely on. But how would we get started on this ? Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 01:51:28 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 01:51:05 +0200 Received: from mail.arobas.net ([205.205.36.6]:24324 "EHLO mail.arobas.net") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 01:50:37 +0200 Received: from dialin156.arobas.net (qmailr@ppp22.arobas.net [205.205.36.92]) by mail.arobas.net (8.9.3/8.9.3) with SMTP id TAA05882 for ; Fri, 9 Jun 2000 19:47:00 -0400 (EDT) Received: (qmail 905 invoked by uid 1000); 9 Jun 2000 23:46:42 -0000 Date: Fri, 9 Jun 2000 19:46:42 -0400 From: Jerome Etienne To: Bryan Paxton Cc: kernel-audit@nl.linux.org Subject: Re: Fwd: Re: where to start? Message-ID: <20000609194641.A894@long-haul.net> Reply-To: jetienne@arobas.net References: <0006091830460A.00783@sQa.speedbros.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0i In-Reply-To: <0006091830460A.00783@sQa.speedbros.org>; from evil7@bellsouth.net on Fri, Jun 09, 2000 at 06:30:21PM -0500 Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Fri, Jun 09, 2000 at 06:30:21PM -0500, Bryan Paxton wrote: > as I stated I think the first place to look would be in fs/ I would suggest to first study the past to avoid to repeat it. Maybe to establish a list of kernel bugs seen in the past and possibly classify them. Some OSs (e.g. openbsd) have already done that in the past. How did they proceed ? bruce shneier, well known in security, has a moto 'security is a process, not a product'. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 01:59:58 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 01:59:34 +0200 Received: from zzz-063254120005.splitrock.net ([63.254.120.5]:6869 "EHLO pony.arbros.com") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 01:59:02 +0200 Received: from arbros1.arbros.com (unknown [172.25.4.1]) by pony.arbros.com (Postfix) with ESMTP id 8ACF41DF5D; Fri, 9 Jun 2000 23:55:30 +0000 (US/Eastern) Received: by ARBROS1 with Internet Mail Service (5.5.2650.21) id ; Fri, 9 Jun 2000 19:55:31 -0400 Message-ID: From: "Saraf, Suman" To: "'jetienne@arobas.net'" , Bryan Paxton Cc: kernel-audit@nl.linux.org Subject: RE: Fwd: Re: where to start? Date: Fri, 9 Jun 2000 19:59:24 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Hi All, I seem to agree with this suggestion. Let all of us scout around for already known bugs and then people with higher initiative quotient can put up a webpage where we list them and referrably classify into the categories pointed by Rik. Suman > -----Original Message----- > From: Jerome Etienne [mailto:jetienne@arobas.net] > Sent: Friday, June 09, 2000 7:47 PM > To: Bryan Paxton > Cc: kernel-audit@nl.linux.org > Subject: Re: Fwd: Re: where to start? > > > On Fri, Jun 09, 2000 at 06:30:21PM -0500, Bryan Paxton wrote: > > as I stated I think the first place to look would be in fs/ > > I would suggest to first study the past to avoid to repeat it. > Maybe to establish a list of kernel bugs seen in the past and > possibly classify them. > Some OSs (e.g. openbsd) have already done that in the past. How did > they proceed ? bruce shneier, well known in security, has a moto > 'security is a process, not a product'. > > Kernel-audit: discussion list for security and the linux kernel > Archive: http://mail.nl.linux.org/kernel-audit/ > Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 09:20:18 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 09:19:46 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:23206 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 09:19:20 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id DAA15470 for ; Sat, 10 Jun 2000 03:19:14 -0400 (EDT) Date: Sat, 10 Jun 2000 02:15:32 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: Some fun ascii on how the webpage might go.... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list This is how I think the webpage should be layed out, then again... I'm a pretty dry person when it comes to sites like these Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 09:21:18 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 09:20:37 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:43174 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 09:19:57 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id DAA15792 for ; Sat, 10 Jun 2000 03:19:56 -0400 (EDT) Date: Sat, 10 Jun 2000 02:16:14 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: Sorry about the last post Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Here's a the ascii ------------------------------------------------------------------------------ title ------------------------------------------------------------------------------ --------------------------------- Brief explanation and link to the mission statement. ----------------- ------------------ | | news | |mail archives task list | |talk back bug archive | |People how to subscribe| |etc......... related sites | | etc.... | | | | | | | | | | | | | | | | ----------------| ------------------ ----------------------------- credits Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 09:50:40 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 09:50:17 +0200 Received: from finch-post-10.mail.demon.net ([194.217.242.38]:64262 "EHLO finch-post-10.mail.demon.net") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 09:49:38 +0200 Received: from notatla.demon.co.uk ([194.222.156.169]) by finch-post-10.mail.demon.net with esmtp (Exim 2.12 #1) id 130g1R-0001Tf-0A; Sat, 10 Jun 2000 07:49:37 +0000 Received: (from lists@localhost) by notatla.demon.co.uk (noyb/noyb) id IAA04327; Sat, 10 Jun 2000 08:50:12 +0100 Date: Sat, 10 Jun 2000 08:50:12 +0100 From: lists@notatla.demon.co.uk Message-Id: <200006100750.IAA04327@notatla.demon.co.uk> To: kernel-audit@nl.linux.org, riel@conectiva.com.br Subject: Re: where to start? Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list > 4) other, non-security bugs in the code .. no doubt we'll > encounter these when we take a closer look at the code > (also, these could be outside of the scope of this > project ???) I say these are in the scope of the project. In OpenBSD they fix any bug they find and happen to fix security bugs by chance. An example I have heard Theo speak about was an obscure combination of 5 minor bugs in lpd where by the time they were announced OpenBSD had squished some of them because they were bugs without noticing security implications. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 10:04:32 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 10:03:57 +0200 Received: from mail2.bna.bellsouth.net ([205.152.150.14]:50873 "EHLO mail2.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Sat, 10 Jun 2000 10:03:31 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail2.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id EAA19678 for ; Sat, 10 Jun 2000 04:03:29 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: Re: where to start? Date: Sat, 10 Jun 2000 02:59:19 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00061002594702.01066@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Totally agreed... Following bugs in other software and trying to trace it back to the kernel is an awesome plan. On Sat, 10 Jun 2000, you wrote: > > 4) other, non-security bugs in the code .. no doubt we'll > > encounter these when we take a closer look at the code > > (also, these could be outside of the scope of this > > project ???) > > I say these are in the scope of the project. > > In OpenBSD they fix any bug they find and happen to fix > security bugs by chance. An example I have heard Theo speak > about was an obscure combination of 5 minor bugs in lpd where > by the time they were announced OpenBSD had squished some of > them because they were bugs without noticing security implications. > > > Kernel-audit: discussion list for security and the linux kernel > Archive: http://mail.nl.linux.org/kernel-audit/ -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 10:58:43 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 10:58:18 +0200 Received: from imail.knoware.nl ([195.64.48.18]:38412 "EHLO imail.knoware.nl") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 10:57:48 +0200 Received: from mail.knoware.nl (mail.knoware.nl [195.64.48.17]) by imail.knoware.nl (Postfix) with ESMTP id 82462BD709; Sat, 10 Jun 2000 10:57:42 +0200 (CEST) Received: from heineken.thuis.knoware.nl (dynaisdn-80.knoware.nl [195.64.35.80]) by mail.knoware.nl (Postfix) with ESMTP id 231D9A6CE6; Sat, 10 Jun 2000 10:57:41 +0200 (CEST) Content-Length: 1214 Message-ID: X-Mailer: XFMail 1.4.4 on Linux X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Sat, 10 Jun 2000 10:58:31 +0200 (CEST) From: Mathijs Mohlmann To: Rik van Riel Subject: RE: where to start? Cc: kernel-audit@nl.linux.org Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On 09-Jun-2000 Rik van Riel wrote: > 4) other, non-security bugs in the code .. no doubt we'll > encounter these when we take a closer look at the code > (also, these could be outside of the scope of this > project ???) I disagree here. Especially the bugs that look save in the beginning turn out te be security bugs. One strong point in the OpenBSD audit was/is that every bug was fixed. There have been a number of times, where security bugs in other BSDs where found and OpenBSD turned out to be save because they fixed a seemingly hardless bug. (see there webpage) Which brings me to my next question. How far should we go? Imagine a function that just can't take a null pointer as argument. Every caller checks to make sure that no null pointer is passed. Should we introduce in extra sanity check in that function to make absolutly sure? If we do that we prevent a lot of future bugs from happening. On the other hand we can forget about mainstream kernel inclusion. What is out goal? Writing an as-secure-as-possible kernel or an as-secure-as-alan-will-let-us kernel? me By the way, i think the tcp/ip code needs a good looking over. A lot of DoS attacks have been seen here. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 12:32:04 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 12:31:40 +0200 Received: from gadolinium.btinternet.com ([194.73.73.111]:62382 "EHLO gadolinium") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 12:31:15 +0200 Received: from host213-1-188-235.btinternet.com ([213.1.188.235] helo=smtp.btinternet.com) by gadolinium with esmtp (Exim 3.03 #16) id 130iXl-0006gx-00; Sat, 10 Jun 2000 11:31:09 +0100 Received: from neo.local (IDENT:root@neo.local [172.16.0.4]) by smtp.btinternet.com (8.9.3/8.9.3) with ESMTP id LAA02915; Sat, 10 Jun 2000 11:36:46 +0100 Received: from neo.local (IDENT:dave@neo.local [172.16.0.4]) by neo.local (8.9.3/8.9.3) with ESMTP id LAA31801; Sat, 10 Jun 2000 11:37:47 +0100 Date: Sat, 10 Jun 2000 11:37:40 +0100 (BST) From: Dave Jones X-Sender: dave@neo.local To: Mathijs Mohlmann cc: kernel-audit@nl.linux.org Subject: RE: where to start? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Sat, 10 Jun 2000, Mathijs Mohlmann wrote: > Which brings me to my next question. How far should we go? > Imagine a function that just can't take a null pointer as > argument. Every caller checks to make sure that no null > pointer is passed. Should we introduce in extra sanity check > in that function to make absolutly sure? If we do that we > prevent a lot of future bugs from happening. On the other > hand we can forget about mainstream kernel inclusion. What you have to be aware of, is that some of the functions allow NULL inputs and perform in slightly different ways. As code gets more documented, this will become easier. As an example, I recently made a patch that added a check to kmalloc() for 0 byte allocations. When I booted the kernel, I got messages every second from select() allocating 0 bytes. What I didn't know is that it's perfectly valid (though aparently non-sensical) for kmalloc to allocate 0 bytes. It actually returns a ptr to a mem area where you can store 0 bytes :) I think this was a perfect case of someone who didn't really know what he was doing having what he thought was a good idea. Sometimes this pays off, but not always, but don't be afraid to share results. I think the important thing is that even if your findings turn out to be wrong (as mine were in this case), that the code is checked. For the curious, a patch to find out who called a function with 'invalid' arguments looks like this.. + if (size==0) { + printk("DEBUG: kmalloc() called with size==0 !! caller=%p\n", + __builtin_return_address(0)); + } This will print out a hex address for the caller. You can look up the nearest match in System.map to find the function name. regards, -- Dave. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 17:16:43 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 17:16:10 +0200 Received: from sierra.newmex.com ([206.183.203.8]:40208 "EHLO sierra.newmex.com") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 17:15:50 +0200 Received: from jkintl.com (ppp174.newmex.com [206.183.203.174]) by sierra.newmex.com (8.9.1a/8.9.1) with ESMTP id JAA31893; Sat, 10 Jun 2000 09:15:07 -0600 Message-ID: <39425CA0.4A1B6837@jkintl.com> Date: Sat, 10 Jun 2000 09:20:00 -0600 From: John McDermott Organization: J-K International, Ltd. X-Mailer: Mozilla 4.73 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Rik van Riel CC: kernel-audit@nl.linux.org Subject: Re: where to start? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I supose type 3 includes "Misbehavior Bugs" where the system is supposed to* do one thing and does another. That fits somewhat in type 4, but *could* be a security issue as with your truncating example. *"supposed to" as documented by comments or manuals of some sort --john Rik van Riel wrote: > > 3) stability bugs where the user can "exploit" some special > situation to make the kernel behave badly or crash > (eg. write to a file you're truncating, confusing buffer.c > and various other places) > Rik > -- -- John McDermott, Writer and Consultant J-K International, Ltd. V +1 505/377-6293 F +1 505/377-6313 jjm@jkintl.com Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 20:02:18 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 20:01:53 +0200 Received: from terra.geo.uu.nl ([131.211.29.16]:60088 "EHLO terra.geo.uu.nl") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 20:01:27 +0200 Received: from newshub1-work.home.com (newshub1-work.home.com [24.0.0.24]) by terra.geo.uu.nl (8.9.3/8.9.3/TvZ) with ESMTP id UAA24393 for ; Sat, 10 Jun 2000 20:01:25 +0200 (MET DST) Received: from earthlink.net (omhas1A-hfc-0251-d1da1639.ne.coxatwork.com [209.218.22.57] (may be forged)) by newshub1-work.home.com (8.9.1/8.9.1) with ESMTP id LAA00972 for ; Sat, 10 Jun 2000 11:01:10 -0700 (PDT) Message-ID: <3942867B.16FDAB81@earthlink.net> Date: Sat, 10 Jun 2000 13:18:35 -0500 From: Aaron Grothe Organization: Heimdall LInux Incorporated X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14 i586) X-Accept-Language: en MIME-Version: 1.0 To: kernelaudit Subject: A place to start Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Hi, A simple proposal : Total Bastard Linux (TBL) TBL is designed to provide a higher barrier to programs that run on top of linux as well as more of the kernel itself. It is a new set of kernel patches based upon including some of the well defined patches (openwall, stackguard) and the rest of them, along with some other tightening fixes. The goal is to make a version of the Linux kernel that is intolerant of bad programs and bad modules. It will of course run a subset of the programs available for linux. An example of what I'm referring to is the development of libsafe. Many of the distributions include but do not make libsafe part of the default installation because it will stop some programs from working. However TBL, is designed more to say tough, fix it. Years ago, I had to port a large program from SunOS 4.1.1 on a sparc to SCO unix running on an intel box. Unfortunately we had taken advantage of a variety of nice features in the way SunOS did memory management like padding to word boundaries allowing off by 1 errors in a variety of sections. We eventually ended up writing a malloc replacement to replicate the behavior on SunOS to raise the bar on the SunOS box to the same level as the SCO box. TBL is designed to set a higher bar. If a programmer can get his/her module to run with TBL it is more than likely going to run on other versions of Linux and will be more secure since it has had to comply with a tighter environment. TBL may also have advantages to application writers how can take advantage of a stricter environment. TBL is not designed to replace the hand audit process that the kernel audit project is going to pursue. It is intended to help find those areas that should be audited first. It will also help provide a tool to help make sure that our changes do not introduce new unexpected side effects. I think TBL could be a good first project for the audit project and would provide us with the possibility of gathering some more information on the Linux kernel base. If there is enough interest we could probably put together a reasonable set of patches against the standard kernel. What do you think? Aaron Grothe ========== "The Journey is the Reward" - Old Zen Buddhist Saying Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 20:12:17 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 20:11:41 +0200 Received: from gadolinium.btinternet.com ([194.73.73.111]:58499 "EHLO gadolinium") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 20:11:17 +0200 Received: from host213-1-161-198.btinternet.com ([213.1.161.198] helo=smtp.btinternet.com) by gadolinium with esmtp (Exim 3.03 #16) id 130piz-00019f-00; Sat, 10 Jun 2000 19:11:14 +0100 Received: from neo.local (IDENT:root@neo.local [172.16.0.4]) by smtp.btinternet.com (8.9.3/8.9.3) with ESMTP id TAA04377; Sat, 10 Jun 2000 19:16:52 +0100 Received: from neo.local (IDENT:dave@neo.local [172.16.0.4]) by neo.local (8.9.3/8.9.3) with ESMTP id TAA07242; Sat, 10 Jun 2000 19:17:49 +0100 Date: Sat, 10 Jun 2000 19:17:48 +0100 (BST) From: Dave Jones X-Sender: dave@neo.local To: Aaron Grothe cc: kernelaudit Subject: Re: A place to start In-Reply-To: <3942867B.16FDAB81@earthlink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Sat, 10 Jun 2000, Aaron Grothe wrote: > TBL is designed to provide a higher barrier to programs that run on top > of linux as well as more of the kernel itself. It is a new set of > kernel patches based upon including some of the well defined patches > (openwall, stackguard) and the rest of them, along with some other > tightening fixes. > What do you think? I think you've missed the point. This is about auditting what we have already, not about bolting on extra security features. regards, -- Dave. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 21:49:19 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 21:48:45 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:23027 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Sat, 10 Jun 2000 21:48:05 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id PAA09243 for ; Sat, 10 Jun 2000 15:48:02 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: Webpage: Something to work with...... Date: Sat, 10 Jun 2000 14:42:17 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00061014441800.00775@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I put together a lil something..... http://www.nixed.net/evil7/ Of course I'm horrid with html and graphics, none the less just a rough draft of what I think the webpage should be like....... All feedback/comments/suggestions/flame are welcome -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 23:08:10 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 23:07:37 +0200 Received: from tele-post-20.mail.demon.net ([194.217.242.20]:40969 "EHLO tele-post-20.mail.demon.net") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 23:06:56 +0200 Received: from notatla.demon.co.uk ([194.222.156.169]) by tele-post-20.mail.demon.net with esmtp (Exim 2.12 #2) id 130sSx-0001jb-0K; Sat, 10 Jun 2000 21:06:52 +0000 Received: (from lists@localhost) by notatla.demon.co.uk (noyb/noyb) id VAA03343; Sat, 10 Jun 2000 21:43:33 +0100 Date: Sat, 10 Jun 2000 21:43:33 +0100 From: lists@notatla.demon.co.uk Message-Id: <200006102043.VAA03343@notatla.demon.co.uk> To: jjm@jkintl.com, riel@conectiva.com.br Subject: Re: where to start? Cc: kernel-audit@nl.linux.org Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list From: John McDermott > I supose type 3 includes "Misbehavior Bugs" where the system is supposed > to* do one thing and does another. That fits somewhat in type 4, but > *could* be a security issue as with your truncating example. > > *"supposed to" as documented by comments or manuals of some sort And POSIX standards; which I for one could do with knowing better. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sat Jun 10 23:52:12 2000 Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 23:51:36 +0200 Received: from oz.uchicago.edu ([128.135.102.11]:9732 "EHLO oz.uchicago.edu") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 23:51:10 +0200 Received: from oz.uchicago.edu (IDENT:marty@localhost [127.0.0.1]) by oz.uchicago.edu (8.11.0.Beta1/8.11.0.Beta1) with ESMTP id e5ALp7j01446 for ; Sat, 10 Jun 2000 16:51:08 -0500 Message-Id: <200006102151.e5ALp7j01446@oz.uchicago.edu> X-Mailer: exmh version 2.1.1 10/15/1999 To: kernel-audit@nl.linux.org Subject: Date: Sat, 10 Jun 2000 16:51:07 -0500 From: "Marty Dippel" Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list auth 4c3f2313 subscribe kernel-audit marty@hep.uchicago.edu Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 00:14:51 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 00:14:07 +0200 Received: from octopus.phy.bg.ac.yu ([147.91.80.4]:43844 "EHLO octopus.phy.bg.ac.yu") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 00:13:40 +0200 Received: (from lynx@localhost) by octopus.phy.bg.ac.yu (8.9.0/8.9.0) id AAA12286; Sun, 11 Jun 2000 00:13:34 +0200 Date: Sun, 11 Jun 2000 00:13:34 +0200 From: Boris Dragovic Message-Id: <200006102213.AAA12286@octopus.phy.bg.ac.yu> To: grothe@earthlink.net, kernel-audit@nl.linux.org Subject: Re: A place to start Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list A simple proposal : Total Bastard Linux (TBL) the idea is very nice but I don't think this is exactly what kernel-audit should be. kernel - audit should focus on discovering security threats and do it fast and efficiently. TBL could be a spin off... lynx Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 00:17:10 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 00:16:24 +0200 Received: from a1a90191.sympatico.bconnected.net ([209.53.19.191]:52485 "EHLO continuum.cm.nu") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 00:15:03 +0200 Received: (from shane@localhost) by continuum.cm.nu (8.11.0.Beta1/8.11.0.Beta1/Debian 8.11.0-1) id e5AMEls20681 for shane@cm.nu; Sat, 10 Jun 2000 15:14:47 -0700 Received: from humbolt.nl.linux.org (root@humbolt.geo.uu.nl [131.211.28.48]) by continuum.cm.nu (8.11.0.Beta1/8.11.0.Beta1/Debian 8.11.0-1) with ESMTP id e5AAWDx14507 for ; Sat, 10 Jun 2000 03:32:13 -0700 X-Authentication-Warning: continuum.cm.nu: Host root@humbolt.geo.uu.nl [131.211.28.48] claimed to be humbolt.nl.linux.org Received: by humbolt.nl.linux.org id ; Sat, 10 Jun 2000 12:31:40 +0200 Received: from gadolinium.btinternet.com ([194.73.73.111]:62382 "EHLO gadolinium") by humbolt.nl.linux.org with ESMTP id ; Sat, 10 Jun 2000 12:31:15 +0200 Received: from host213-1-188-235.btinternet.com ([213.1.188.235] helo=smtp.btinternet.com) by gadolinium with esmtp (Exim 3.03 #16) id 130iXl-0006gx-00; Sat, 10 Jun 2000 11:31:09 +0100 Received: from neo.local (IDENT:root@neo.local [172.16.0.4]) by smtp.btinternet.com (8.9.3/8.9.3) with ESMTP id LAA02915; Sat, 10 Jun 2000 11:36:46 +0100 Received: from neo.local (IDENT:dave@neo.local [172.16.0.4]) by neo.local (8.9.3/8.9.3) with ESMTP id LAA31801; Sat, 10 Jun 2000 11:37:47 +0100 Date: Sat, 10 Jun 2000 11:37:40 +0100 (BST) From: Dave Jones X-Sender: dave@neo.local To: Mathijs Mohlmann cc: kernel-audit@nl.linux.org Subject: RE: where to start? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Sat, 10 Jun 2000, Mathijs Mohlmann wrote: > Which brings me to my next question. How far should we go? > Imagine a function that just can't take a null pointer as > argument. Every caller checks to make sure that no null > pointer is passed. Should we introduce in extra sanity check > in that function to make absolutly sure? If we do that we > prevent a lot of future bugs from happening. On the other > hand we can forget about mainstream kernel inclusion. What you have to be aware of, is that some of the functions allow NULL inputs and perform in slightly different ways. As code gets more documented, this will become easier. As an example, I recently made a patch that added a check to kmalloc() for 0 byte allocations. When I booted the kernel, I got messages every second from select() allocating 0 bytes. What I didn't know is that it's perfectly valid (though aparently non-sensical) for kmalloc to allocate 0 bytes. It actually returns a ptr to a mem area where you can store 0 bytes :) I think this was a perfect case of someone who didn't really know what he was doing having what he thought was a good idea. Sometimes this pays off, but not always, but don't be afraid to share results. I think the important thing is that even if your findings turn out to be wrong (as mine were in this case), that the code is checked. For the curious, a patch to find out who called a function with 'invalid' arguments looks like this.. + if (size==0) { + printk("DEBUG: kmalloc() called with size==0 !! caller=%p\n", + __builtin_return_address(0)); + } This will print out a hex address for the caller. You can look up the nearest match in System.map to find the function name. regards, -- Dave. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 00:26:20 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 00:25:27 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:218 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Sun, 11 Jun 2000 00:25:00 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id SAA28716 for ; Sat, 10 Jun 2000 18:24:58 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: Re: A place to start Date: Sat, 10 Jun 2000 17:20:52 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00061017211404.00835@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list As far as a spin off, that wasn't my goal... But if the community wishes so more power to you guys : ) kernel-audit is simply to audit the existing code. Not manipulate it, or malform it to get along with a userland program for various security reasons. But great idea none the less.... TBL that is. On Sat, 10 Jun 2000, you wrote: > A simple proposal : Total Bastard Linux (TBL) > > the idea is very nice but I don't think this is exactly what kernel-audit > should be. kernel - audit should focus on discovering security threats and > do it fast and efficiently. TBL could be a spin off... > > lynx > > > Kernel-audit: discussion list for security and the linux kernel > Archive: http://mail.nl.linux.org/kernel-audit/ -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 00:27:18 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 00:25:56 +0200 Received: from mail0.bna.bellsouth.net ([205.152.150.12]:2732 "EHLO mail0.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Sun, 11 Jun 2000 00:25:26 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail0.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id SAA07514 for ; Sat, 10 Jun 2000 18:25:24 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: RE: where to start? Date: Sat, 10 Jun 2000 17:21:20 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00061017214005.00835@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Exactly, please don't by shy to share your finding/ideas... Just do it : ) Maybe you could be wrong on what you're doing or the idea you have, but it could lead to a right idea in the same dept. or possibly another. On the fly innovation : ) On Sat, 10 Jun 2000, you wrote: > On Sat, 10 Jun 2000, Mathijs Mohlmann wrote: > > > Which brings me to my next question. How far should we go? > > Imagine a function that just can't take a null pointer as > > argument. Every caller checks to make sure that no null > > pointer is passed. Should we introduce in extra sanity check > > in that function to make absolutly sure? If we do that we > > prevent a lot of future bugs from happening. On the other > > hand we can forget about mainstream kernel inclusion. > > What you have to be aware of, is that some of the functions > allow NULL inputs and perform in slightly different ways. > As code gets more documented, this will become easier. > > As an example, I recently made a patch that added a check > to kmalloc() for 0 byte allocations. When I booted the > kernel, I got messages every second from select() > allocating 0 bytes. What I didn't know is that it's > perfectly valid (though aparently non-sensical) for > kmalloc to allocate 0 bytes. It actually returns a ptr > to a mem area where you can store 0 bytes :) > > I think this was a perfect case of someone who didn't > really know what he was doing having what he thought > was a good idea. Sometimes this pays off, but not > always, but don't be afraid to share results. > I think the important thing is that even if your > findings turn out to be wrong (as mine were in this > case), that the code is checked. > > > For the curious, a patch to find out who called a function > with 'invalid' arguments looks like this.. > > + if (size==0) { > + printk("DEBUG: kmalloc() called with size==0 !! caller=%p\n", > + __builtin_return_address(0)); > + } > > This will print out a hex address for the caller. > You can look up the nearest match in System.map to > find the function name. > > > regards, > > -- > Dave. > > > Kernel-audit: discussion list for security and the linux kernel > Archive: http://mail.nl.linux.org/kernel-audit/ > > > Kernel-audit: discussion list for security and the linux kernel > Archive: http://mail.nl.linux.org/kernel-audit/ -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 00:51:42 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 00:50:57 +0200 Received: from gateway.navtech.com ([206.79.145.2]:30218 "EHLO gateway.navtech.com") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 00:50:28 +0200 Received: from birch.navtech.com (birch.navtech.com [198.232.159.118]) by gateway.navtech.com (8.9.1/8.8.3) with ESMTP id PAA30596 for ; Sat, 10 Jun 2000 15:50:26 -0700 Received: from postman.chi.navtech.com (postman.chi.navtech.com [10.8.20.25]) by birch.navtech.com (8.9.1/8.8.3) with ESMTP id PAA21712 for ; Sat, 10 Jun 2000 15:50:25 -0700 Received: by postman.chi.navtech.com with Internet Mail Service (5.5.2650.21) id ; Sat, 10 Jun 2000 17:51:03 -0500 Message-ID: <91468650040FD411A51100104B63E23123AFD8@postman.chi.navtech.com> From: "Bechtolsheim, Stephan" To: kernel-audit@nl.linux.org Subject: RE: A place to start Date: Sat, 10 Jun 2000 17:51:02 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFD32E.5A1ED670" Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFD32E.5A1ED670 Content-Type: text/plain; charset="iso-8859-1" I think it's wrong to deal with more than one kernel - unless there are the resources. 1. Use the newest kernel 2. If there is something serious found, go back and look at the other kernels. It's a matter of resources, such as time and number of people .... My personal opinion. StvB > ------_=_NextPart_001_01BFD32E.5A1ED670 Content-Type: text/html; charset="iso-8859-1" RE: A place to start

I think it's wrong to deal with more than one
kernel - unless there are the resources.

1. Use the newest kernel
2. If there is something serious found, go back and
look at the other kernels.

It's a matter of resources, such as time and number
of people ....

My personal opinion.

StvB
>

------_=_NextPart_001_01BFD32E.5A1ED670-- Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 00:53:20 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 00:52:31 +0200 Received: from smtp3.libero.it ([193.70.192.53]:40087 "EHLO smtp3.libero.it") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 00:51:46 +0200 Received: from armageddon.allanon.org (151.20.25.217) by smtp3.libero.it; 11 Jun 2000 00:51:43 +0200 Received: by armageddon.allanon.org (Postfix, from userid 0) id AB8CA5FBB; Mon, 12 Jun 2000 16:26:11 +0200 (CEST) Date: Mon, 12 Jun 2000 16:26:11 +0200 From: Gigi Sullivan To: Dave Jones Cc: kernel-audit@nl.linux.org Subject: Re: where to start? Message-ID: <20000612162611.N275@armageddon.libero.it> References:

Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: ; from Dave Jones on Sat, Jun 10, 2000 at 11:37:40AM +0100 Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Aiee :) Hello! > On Sat, 10 Jun 2000, Mathijs Mohlmann wrote: > > > Which brings me to my next question. How far should we go? > > Imagine a function that just can't take a null pointer as > > argument. Every caller checks to make sure that no null > > pointer is passed. Should we introduce in extra sanity check > > in that function to make absolutly sure? If we do that we > > prevent a lot of future bugs from happening. On the other > > hand we can forget about mainstream kernel inclusion. We have to take care about performance however. It's true that we should audit kernel sources, but adding too much sanities check could slow down kernel performance and this isn't good. It's true that a simple check (which complexity could be O(1)) is pointless here, but keep in mind that quite often there's a huge call trace on the stack; we call many routines `at a time', and this could slow down operations if too many sanities check were added ... Kernel developers (or wannabe) should use and pass properly arguments to the routines they call. What we should be aware of is about kernel semanthics (see the recent capability issue). This is not a rule, obviously, but it's important. I guess that we have to keep this in mind, always ... All above is IMHO :)) bye bye -- gg sullivan -- Lorenzo Cavallaro `Gigi Sullivan' Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner) Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 01:00:52 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 01:00:09 +0200 Received: from smtp3.libero.it ([193.70.192.53]:6302 "EHLO smtp3.libero.it") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 00:59:41 +0200 Received: from armageddon.allanon.org (151.20.25.217) by smtp3.libero.it; 11 Jun 2000 00:59:40 +0200 Received: by armageddon.allanon.org (Postfix, from userid 0) id DDE935FBB; Mon, 12 Jun 2000 16:37:28 +0200 (CEST) Date: Mon, 12 Jun 2000 16:37:28 +0200 From: Gigi Sullivan To: "Bechtolsheim, Stephan" Cc: kernel-audit@nl.linux.org Subject: Re: A place to start Message-ID: <20000612163728.A1192@armageddon.libero.it> References: <91468650040FD411A51100104B63E23123AFD8@postman.chi.navtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <91468650040FD411A51100104B63E23123AFD8@postman.chi.navtech.com>; from Bechtolsheim, Stephan on Sat, Jun 10, 2000 at 05:51:02PM -0500 Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Aiee :) Hello! > > I think it's wrong to deal with more than one > kernel - unless there are the resources. This sounds good ... > > 1. Use the newest kernel > 2. If there is something serious found, go back and > look at the other kernels. ... however we should keep in mind that (for example) 2.2.X kernel series won't get dropped right when 2.4.X (stable) will be out. We, maybe, have to check out both newest kernel and the one which is still widly used. > My personal opinion. > > StvB > > above is IMHO :) bye bye -- gg sullivan -- Lorenzo Cavallaro `Gigi Sullivan' Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner) Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 01:02:09 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 01:00:19 +0200 Received: from ip27.portland.me.pub-ip.psi.net ([38.11.101.27]:19716 "EHLO rivet") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 00:59:56 +0200 Received: from rbt by rivet with local (Exim 3.13 #1) id 130uBT-0000A8-00 for evil7@bellsouth.net; Sat, 10 Jun 2000 18:56:55 -0400 Date: Sat, 10 Jun 2000 18:56:55 -0400 From: Robert Mognet To: Bryan Paxton Subject: Re: Webpage: Something to work with...... Message-ID: <20000610185655.A623@rivet.rivet.dyndns.org> References: <00061014441800.00775@sQa.speedbros.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <00061014441800.00775@sQa.speedbros.org>; from evil7@bellsouth.net on Sat, Jun 10, 2000 at 02:42:17PM -0500 Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Hello Bryan, On Sat, Jun 10, 2000 at 02:42:17PM -0500, Bryan Paxton wrote: > I put together a lil something..... http://www.nixed.net/evil7/ > Of course I'm horrid with html and graphics, none the less just a rough > draft of what I think the webpage should be like....... > > All feedback/comments/suggestions/flame are welcome A small suggestion: http://www.anybrowser.org/campaign/ Robert > > > -- > Bryan Paxton > > "How should I know if it works? That's what beta testers are for. I > only coded it." > -- Linus Torvalds. > > > > Kernel-audit: discussion list for security and the linux kernel > Archive: http://mail.nl.linux.org/kernel-audit/ > Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 01:12:12 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 01:11:38 +0200 Received: from mail2.bna.bellsouth.net ([205.152.150.14]:32992 "EHLO mail2.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Sun, 11 Jun 2000 01:11:18 +0200 Received: from sQa.speedbros.org (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail2.bna.bellsouth.net (3.3.5alt/0.75.2) with SMTP id TAA01016 for ; Sat, 10 Jun 2000 19:11:15 -0400 (EDT) From: Bryan Paxton Reply-To: evil7@bellsouth.net To: kernel-audit@nl.linux.org Subject: Yet another web page layout Date: Sat, 10 Jun 2000 18:05:36 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00061018073107.00835@sQa.speedbros.org> Content-Transfer-Encoding: 8BIT Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Please go see it and tell me what you think(reply to the list not me). http://www.nixed.net/evil7/ All ideas/bitching/whining/flame/crying/stomping your feet around and pulling your hair is appreciated. -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 02:02:53 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 02:01:38 +0200 Received: from vesuri.helsinki.fi ([128.214.205.10]:51460 "EHLO vesuri.Helsinki.FI") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 02:00:59 +0200 Received: from localhost (ammonton@localhost) by vesuri.Helsinki.FI (8.10.1/8.10.1) with ESMTP id e5B00se08975 for ; Sun, 11 Jun 2000 03:00:54 +0300 (EET DST) X-Authentication-Warning: vesuri.Helsinki.FI: ammonton owned process doing -bs Date: Sun, 11 Jun 2000 03:00:54 +0300 (EET DST) From: Anders M Montonen To: kernel-audit@nl.linux.org Subject: Starting point Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Although I'm not a kernel hacker (please keep this in mind when reading) I'd like to offer my thoughts on this project, which I find very fascinating. - It would be prudent to draw on the OpenBSD-project's experience. Maybe some of the core crew could be a "guest lecturer"? - Because the Linux development model differs so much from the *BSD one, most methods can probably not be applied directly to this project. - The LKAP should also work preventively by improving kernel (interface) documentation and authoring documents on writing safe code. - Any bugs found should be stomped. As experience has shown (and as has been pointed out here) even bugs deemed harmless can be dangerous. Besides, bugfixed code is good code. - To get the show on the road, I would suggest choosing a core component that has remained relatively stable between the "current" kernel series (2.0 - 2.2 - 2.4) - I would also suggest focusing on the upcoming 2.4 kernel. Auditing the 2.2 kernel would mean creating a rather large "lag". - Once a certain version of the kernel has been audited, there remains the task of auditing all upcoming patches. However, if this project is successful (particularly regarding the educational angle) I predict that this task will become easier as more developers start adhering to the guidelines set out by the LKAP. Hopefully, this would free enough resources to start following the development series kernel. - The development series kernel would have to be followed in some way, the alternative being starting from scratch each time a stable kernel is released. Of course, a completely different route to follow would be to start with the 2.0 kernel, since it is bugfix-only at this stage. -a Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 02:48:25 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 02:47:52 +0200 Received: from mail0.bna.bellsouth.net ([205.152.150.12]:20868 "EHLO mail0.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 02:47:34 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail0.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id UAA12733 for ; Sat, 10 Jun 2000 20:47:31 -0400 (EDT) Date: Sat, 10 Jun 2000 19:43:47 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: Re: Starting point Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Sat, 10 Jun 2000, you wrote: > Although I'm not a kernel hacker (please keep this in mind when reading) > I'd like to offer my thoughts on this project, which I find very > fascinating. Who says you have to be a kernel hacker to contribute ? Ideas and voicing yourself is the first step in any project of this magnitude, and I highly encourage it. I don't code myself. > - It would be prudent to draw on the OpenBSD-project's > experience. Maybe some of the core crew could be a "guest lecturer"? Yes surely, advice from the people at OpenBSD developers is nothing but goods. > - The LKAP should also work preventively by improving kernel (interface) > documentation and authoring documents on writing safe code. Education is a key factor in security. Whether someone wants takes the time to sit down and write such a document or how-to remains to be seen : ) > - Any bugs found should be stomped. As experience has shown (and as has > been pointed out here) even bugs deemed harmless can be dangerous. Agreed look at Rik's orginal "Where do we start ?" post. > Besides, bugfixed code is good code. : ) > - To get the show on the road, I would suggest choosing a core component > that has remained relatively stable between the "current" kernel series > (2.0 - 2.2 - 2.4) I think 2.2 would be the best place to start... Even when 2.4 is released most people/servers aren't going to upgrade right away for various reasons. > - I would also suggest focusing on the upcoming 2.4 kernel. Auditing the > 2.2 kernel would mean creating a rather large "lag". See above. Though I do think that some parts of the 2.4 series should be audited first... netfilter, tcp/ip core, and fs. > - Once a certain version of the kernel has been audited, there remains > the task of auditing all upcoming patches. However, if this project is > successful (particularly regarding the educational angle) I predict that > this task will become easier as more developers start adhering to the > guidelines set out by the LKAP. Hopefully, this would free enough > resources to start following the development series kernel. I wish you the best of luck on this one : ) hehe no really, this is a great idea... But EVERYONE must come together on this, which isn't so much unrealistic but that it's gonna be while before this happens IMHO. > Of course, a completely different route to follow would be to start with > the 2.0 kernel, since it is bugfix-only at this stage. > This shall be decided by the majority of the community. This was a brilliant proposal, I hope to see more contributions from you in the near(?) future. -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 03:22:35 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 03:22:02 +0200 Received: from carry.netneo.com ([195.62.128.21]:22545 "EHLO carry.neonet.lv") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 03:21:43 +0200 Received: from ed.ed (as0b.netneo.com [195.62.135.193]) by carry.neonet.lv (8.9.3/8.9.3) with ESMTP id DAA03951; Sun, 11 Jun 2000 03:21:20 +0200 Received: (from root@localhost) by ed.ed (8.8.7/8.8.5) id BAA19609; Sun, 11 Jun 2000 01:18:44 GMT From: root Date: Sun, 11 Jun 2000 01:18:43 +0000 To: evil7@bellsouth.net, kernel-audit@nl.linux.org Subject: Re: Starting point Message-ID: <3942E8F3.nailF47118D3E@ed.ed> References: X-Mailer: nail 9.13 2000-05-30 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list > > Of course, a completely different route to follow would be to start > > with > > the 2.0 kernel, since it is bugfix-only at this stage. > > This shall be decided by the majority of the community. Umh, let me tell you how it look from a slightly different point of view. I'm still happy with 2.0.38, an old and lazy dino, so bear with me, please, because I'm likely to stay in minority :) Development kernels, as well as recent production versions enjoy massive attention from active kernel developers. This code is being written, tested, patched, reviewed constantly. Let's say it's `in.' Recent cap issue with 2.2.14 was detected and eliminated fast enough, _without_ any help from LKAP per se. `We' are just forming our community, but `they' could already fix the problem. Unlike that, stable or old kernels get less and less eyes, despite of the fact that there are many people like me who are not planning kernel upgrades real soon, because there's no practical need. It ain't broke, so leave it alone. What if we organize not by kernel versions, but by subsystems, or whatever other (buzz)word shall we use. We can start working on the core functionality, like task scheduling, moving to `abstraction' layers like fs or network, then descending to hardware and so on. Of course, in this case roadmap can be more complicated, but it's well worth it IMHO. I believe it's easier and more consistent to take signal.c from every kernel we have at our disposal and dissect it to see how it's written, to study its evolution and to identify possible problems by code comparison. What would you say? --- "Teddy - I suppose Mummy and Daddy are real, aren't they?" Teddy said, "You ask such silly questions, David. Nobody knows what 'real' really means. Let's go indoors." Brian W. Aldiss, Supertoys Last All Summer Long Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 03:31:46 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 03:31:12 +0200 Received: from mail0.bna.bellsouth.net ([205.152.150.12]:6304 "EHLO mail0.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 03:30:39 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail0.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id VAA12566 for ; Sat, 10 Jun 2000 21:30:33 -0400 (EDT) Date: Sat, 10 Jun 2000 20:26:48 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: Re: Starting point Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Ya know I don't really think the way we go as far as kernel by kernel or file by file really matters. I think what matters how organised it is. I believe either way will work as long as the backend of it all it stable and clean. Though I'm retarded, what do I know : ) On Sat, 10 Jun 2000, you wrote: > > > Of course, a completely different route to follow would be to start > > > with > > > the 2.0 kernel, since it is bugfix-only at this stage. > > > > This shall be decided by the majority of the community. > > Umh, let me tell you how it look from a slightly different point of view. > I'm still happy with 2.0.38, an old and lazy dino, so bear with me, please, > because I'm likely to stay in minority :) > Development kernels, as well as recent production versions enjoy massive > attention from active kernel developers. This code is being written, > tested, patched, reviewed constantly. Let's say it's `in.' > Recent cap issue with 2.2.14 was detected and eliminated fast enough, > _without_ any help from LKAP per se. `We' are just forming our community, > but `they' could already fix the problem. > Unlike that, stable or old kernels get less and less eyes, despite of the > fact that there are many people like me who are not planning kernel > upgrades real soon, because there's no practical need. It ain't broke, so > leave it alone. > What if we organize not by kernel versions, but by subsystems, or > whatever other (buzz)word shall we use. We can start working on the core > functionality, like task scheduling, moving to `abstraction' layers like fs > or network, then descending to hardware and so on. > Of course, in this case roadmap can be more complicated, but it's well > worth it IMHO. I believe it's easier and more consistent to take signal.c > from every kernel we have at our disposal and dissect it to see how it's > written, to study its evolution and to identify possible problems by code > comparison. > > What would you say? -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 03:41:27 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 03:40:37 +0200 Received: from mail0.bna.bellsouth.net ([205.152.150.12]:28326 "EHLO mail0.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 03:39:58 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail0.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id VAA19229 for ; Sat, 10 Jun 2000 21:39:55 -0400 (EDT) Date: Sat, 10 Jun 2000 20:36:10 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: 220+ subcribed to kernel-audit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I just did a rough count, and I'm sure everyone will be pleased to know that only after 2 days over 220+ people have subscribed to kernel-audit. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 05:00:17 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 04:59:38 +0200 Received: from charon.lnk.telstra.net ([139.130.100.86]:33048 "EHLO central.charon.net.au") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 04:59:05 +0200 Received: from localhost (kendall@localhost) by central.charon.net.au (8.9.3/8.9.3) with ESMTP id MAA15443 for ; Sun, 11 Jun 2000 12:58:35 +1000 Date: Sun, 11 Jun 2000 12:58:35 +1000 (EST) From: Kendall Lister Reply-To: kernel-audit@nl.linux.org To: kernel-audit@nl.linux.org Subject: Re: Starting point In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Sat, 10 Jun 2000, Bryan Paxton wrote: > On Sat, 10 Jun 2000, you wrote: > > > - The LKAP should also work preventively by improving kernel (interface) > > documentation and authoring documents on writing safe code. > > Education is a key factor in security. Whether someone wants takes the > time to sit down and write such a document or how-to remains to be seen > : ) I have no kernel hacking experience, although I have done a moderate amount of coding and design. I am keen to lend my time to a project like this, but I would need someone with more specific knowledge of the kernel and security in general to write down what I need to look for, and how to fix it. If I could read that, I sometimes have a dozen hours here or there that I would enjoy devoting to improving Linux; as I said, I just need someone to tell me what needs to be done. I imagine that a lot of people with development experience are in a similar situation - quite a useful resource, if only a few people can take the steps necessary to use it. -- Kendall Lister, Systems Operator for Charon I.S. - kendall@charon.net.au Charon Information Services - Friendly, Cheap Melbourne ISP: 9589 7781 Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 05:06:59 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 05:06:23 +0200 Received: from herd.plethora.net ([205.166.146.1]:19915 "EHLO herd.plethora.net") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 05:05:43 +0200 Received: from cu.mol.plethora.net (cu.mol.plethora.net [205.166.146.50]) by herd.plethora.net (8.9.0/8.9.0) with ESMTP id WAA07184; Sat, 10 Jun 2000 22:05:38 -0500 (CDT) Received: from localhost (dante@localhost) by cu.mol.plethora.net (8.9.3/8.9.3/Debian 8.9.3-6) with ESMTP id VAA19219; Sat, 10 Jun 2000 21:52:29 -0500 Date: Sat, 10 Jun 2000 21:52:29 -0500 (CDT) From: Daniel Taylor X-Sender: dante@cu.mol.plethora.net To: root cc: evil7@bellsouth.net, kernel-audit@nl.linux.org Subject: Re: Starting point In-Reply-To: <3942E8F3.nailF47118D3E@ed.ed> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list Organizing somewhat by specialty is probably good, but only if we take a critical lesson from the OpenBSD project and others like it: If something is a bug in one place, it is probably replicated elsewhere. So say you find an overflow condition in the Vortex driver. There is a good chance that code has inheritance from NE2k and that other drivers inherit from it. Check all the drivers in drivers/net for obvious occurences and post to the list so that others looking at other parts of the kernel can possibly spot less obvious recurrences. The other thing to remember is to be very careful, a lot of bits of code that might look like a problem at first glance are simply the objects of some very wierd optimizations, with problem cases being detected and eliminated elsewhere. That is part of what makes this so challenging. Daniel Taylor Embedded and custom Linux integration. dante@plethora.net (612)747-1609 On Sun, 11 Jun 2000, root wrote: > > > Of course, a completely different route to follow would be to start > > > with > > > the 2.0 kernel, since it is bugfix-only at this stage. > > > > This shall be decided by the majority of the community. > > Umh, let me tell you how it look from a slightly different point of view. > I'm still happy with 2.0.38, an old and lazy dino, so bear with me, please, > because I'm likely to stay in minority :) > Development kernels, as well as recent production versions enjoy massive > attention from active kernel developers. This code is being written, > tested, patched, reviewed constantly. Let's say it's `in.' > Recent cap issue with 2.2.14 was detected and eliminated fast enough, > _without_ any help from LKAP per se. `We' are just forming our community, > but `they' could already fix the problem. > Unlike that, stable or old kernels get less and less eyes, despite of the > fact that there are many people like me who are not planning kernel > upgrades real soon, because there's no practical need. It ain't broke, so > leave it alone. > What if we organize not by kernel versions, but by subsystems, or > whatever other (buzz)word shall we use. We can start working on the core > functionality, like task scheduling, moving to `abstraction' layers like fs > or network, then descending to hardware and so on. > Of course, in this case roadmap can be more complicated, but it's well > worth it IMHO. I believe it's easier and more consistent to take signal.c > from every kernel we have at our disposal and dissect it to see how it's > written, to study its evolution and to identify possible problems by code > comparison. > > What would you say? > > Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 05:29:58 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 05:29:23 +0200 Received: from mail1.bna.bellsouth.net ([205.152.150.13]:35750 "EHLO mail1.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 05:28:55 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id XAA04114 for ; Sat, 10 Jun 2000 23:28:53 -0400 (EDT) Date: Sat, 10 Jun 2000 22:25:08 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: Re: Starting point Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Sat, 10 Jun 2000, Kendall Lister wrote: If you're new to kernel hacking/developing I suggest these two mediums as to becoming familar with it all: 1) echo subscribe kernelnewbies | mail majordomo@.nl.linux.org 2) Connect to irc.openprojects with your favorite irc client and /join #kernelnewbies 3) All of the above : ) > I have no kernel hacking experience, although I have done a moderate > amount of coding and design. I am keen to lend my time to a project like > this, but I would need someone with more specific knowledge of the kernel > and security in general to write down what I need to look for, and how to > fix it. If I could read that, I sometimes have a dozen hours here or there > that I would enjoy devoting to improving Linux; as I said, I just need > someone to tell me what needs to be done. I imagine that a lot of people > with development experience are in a similar situation - quite a useful > resource, if only a few people can take the steps necessary to use it. > > -- > Kendall Lister, Systems Operator for Charon I.S. - kendall@charon.net.au > Charon Information Services - Friendly, Cheap Melbourne ISP: 9589 7781 > > > Kernel-audit: discussion list for security and the linux kernel > Archive: http://mail.nl.linux.org/kernel-audit/ -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 06:02:10 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 06:01:20 +0200 Received: from field.videotron.net ([205.151.222.108]:36033 "EHLO field.videotron.net") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 06:00:33 +0200 Received: from opersys.com ([24.201.74.207]) by field.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0FVZ00DSL0Z54Z@field.videotron.net> for kernel-audit@nl.linux.org; Sat, 10 Jun 2000 23:42:42 -0400 (EDT) Date: Sat, 10 Jun 2000 23:45:55 -0400 From: Karim Yaghmour Subject: Linux Trace Toolkit for kernel auditing To: kernel-audit@nl.linux.org Message-id: <39430B73.AAC3D350@opersys.com> MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-TRACE-RTAI i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en, French/France, fr-FR, French/Canada, fr-CA Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list OK, before anyone replies to this and says that I'm way off and yadi ... yadi ... yada ... about the fact that kernel audit isn't about inserting new stuff in the kernel ... read until the end of the message. For some time now I've been working on the Linux Trace Toolkit. If you aren't aware of it's capabilities, I invite you to take a look at it's home page : http://www.opersys.com/LTT That said, LTT enables it's user to observe every detail of an active kernel ___WITHOUT___ modifying or influencing it's behavior in any way. In the course of this development, it has been suggested at many times that LTT would have the potential of being used as a security auditing tool since it can view all the important kernel events and it records their decription. To facilitate this, I have recently added a facility to LTT that enables any kernel module to register a callback that will be called every time a given event occurs (file-system, network, socket communication, etc.). Having the event description, the callback can then react to a certain event in a certain way. That can range from killing the actual running process to logging the event in a certain way. This, though, is insufficient by itself to build a security auditing system using LTT. Therefore, I've recently added an event-driven state machine engine. The latter takes a state- machine description whose state transitions are caused by the occurence of certain events and calls on functions depending on the current state of the state machine. Therefore, systems could be built where given a certain sequence of events occurs, a certain reaction occurs. For example, let's someone finds a hole in an internet service running on you server. This hole is a buffer overflow bug. He uses this overflow to push on the stack code that will read /etc/passwd and/or /etc/shadow and send it off to some of his IPs. You could have a security auditing state machine that checks for any process that tries to read /etc/passwd or /etc/shadow and tries to send it on the net (since you have access to the raw data you can actually verify this from within your callbacks.) Since any process may be prone to this, it doesn't matter what process caused the problem. The important part is that you caught the culprit and potentially sent it a kill signal. Now this is a simple example and I'm no security expert. Actually I know very little about the subject. But you do get the drift ... so to speak. There is already someone working on this. If you are interested on working on such a system, please let me know, I'll forward your name. You can also reply on this very list (hopefully, I don't get killed over this) since the person I'm speaking of is already subscribed. I also know other people who aren't on this list who would be interested ... If I can help, I'll gladly do so, but, as I said, I'm no security expert. Therefore, I'm willing to help security experts build such a system, but I can't build it myself ... honest. Thank you for reading until the end and simply disregard this message if you think it doesn't belong on this list or it doesn't interest you or both. Thanks and have fun :) Karim P.S.: Building such a system using kernel modules only (i.e. without inserting anything in the kernel) is possible _as long as_ you are using an LTT-patched kernel. Note that you do not have to use any of the user tools that come with LTT or even use the trace module that comes with it to achieve this goal. Just patch the thing and you'll be ok. =================================================== Karim Yaghmour karym@opersys.com Operating System Consultant (Linux kernel, real-time and distributed systems) =================================================== Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 06:13:27 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 06:12:42 +0200 Received: from mail0.bna.bellsouth.net ([205.152.150.12]:43154 "EHLO mail0.bna.bellsouth.net") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 06:11:54 +0200 Received: from adsl-78-129-55.mem.bellsouth.net (adsl-78-129-55.mem.bellsouth.net [216.78.129.55]) by mail0.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id AAA12171 for ; Sun, 11 Jun 2000 00:11:48 -0400 (EDT) Date: Sat, 10 Jun 2000 23:08:03 -0500 (CDT) From: Bryan Paxton X-Sender: evil7@sqa.speedbros.org To: kernel-audit@nl.linux.org Subject: Re: Linux Trace Toolkit for kernel auditing Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Sat, 10 Jun 2000, you wrote: > OK, before anyone replies to this and says that I'm way off > and yadi ... yadi ... yada ... about the fact that kernel audit > isn't about inserting new stuff in the kernel ... read until > the end of the message. I don't think this is far off the subjects of this list at all. In fact I think it's perfect. In two ways: 1. inexperienced users to kernel hacking/auditing could use it for obvious reasons(auditing, double checking, whatever). 2. Experienced users could use it simply to double check their work. As long as you and I understand that LTT will never make it into the kernel, and that you're not trying to get it plugged in either, but simply advocate it so developers who are auditing can plug it into the src code they're hacking up could use it. Then no way man. You are totally on the right track IMHO. Keep up the awesome work.... And this truely is an excellent idea. -- Bryan Paxton "How should I know if it works? That's what beta testers are for. I only coded it." -- Linus Torvalds. Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Sun Jun 11 07:23:05 2000 Received: by humbolt.nl.linux.org id ; Sun, 11 Jun 2000 07:22:31 +0200 Received: from terra.geo.uu.nl ([131.211.29.16]:29889 "EHLO terra.geo.uu.nl") by humbolt.nl.linux.org with ESMTP id ; Sun, 11 Jun 2000 07:22:00 +0200 Received: from smtp.snet.net (smtp.snet.net [204.60.6.55]) by terra.geo.uu.nl (8.9.3/8.9.3/TvZ) with ESMTP id HAA04885 for ; Sun, 11 Jun 2000 07:21:58 +0200 (MET DST) From: mshobe@snet.net Received: from sledge.localdomain ([64.252.32.45]) by smtp.snet.net (8.9.3/8.9.3/SNET-bmx-1.3/D-1.7/O-1.6) with ESMTP id BAA27511 for ; Sun, 11 Jun 2000 01:21:41 -0400 (EDT) Received: from mshobe by sledge.localdomain with local (Exim 3.12 #1 (Debian)) id 1310Br-00005u-00 for ; Sun, 11 Jun 2000 01:21:43 -0400 Date: Sun, 11 Jun 2000 01:21:43 -0400 To: kernel-audit@nl.linux.org Subject: Re: Starting point Message-ID: <20000611012143.A277@cyberzone.net> References: