From owner-kernel-audit@nl.linux.org Tue Oct 17 19:16:38 2000 Received: by humbolt.nl.linux.org id ; Tue, 17 Oct 2000 19:15:14 +0200 Received: from adsl-78-129-55.mem.bellsouth.net ([216.78.129.55]:52231 "EHLO sqa.mine.nu") by humbolt.nl.linux.org with ESMTP id ; Tue, 17 Oct 2000 19:14:35 +0200 Received: from localhost (localhost [[UNIX: localhost]]) by sqa.mine.nu (8.11.0/8.10.1) id e9HH23G02353 for kernel-audit@nl.linux.org; Tue, 17 Oct 2000 12:02:03 -0500 From: Bryan Paxton Reply-To: bpaxton@securityportal.com To: kernel-audit@nl.linux.org Subject: Looking for someone to take over. Date: Tue, 17 Oct 2000 12:02:02 -0500 X-Mailer: KMail [version 1.1.95.2] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00101712020202.01027@sQa> Content-Transfer-Encoding: 8bit Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list I've put this off long enough, and instead of stamping this project as a dead beast, I'm querying as to whether there is anyone out there who like to take over. Your duties would be nothing but taking over as list owner(for this mailing list), help developers manage projects, set goals, etc....... If you feel you're capable of the above please e-mail. And don't just say "Hey, I'll take over" Explain why you want to take over and what you've done for the linux community in the past(be it writing some uber code for the kernel or maintaining the applets and capplets for GNOME). If someone does e-mail which I feel would be the right person for taking over, we'll make it so : ) If no one e-mails me, this list and project will remain as is untill someone else decides to step in, let's hope the above is accomplished. This is where I'd like to applogize to the people who have taken interest in this project and were disapointed by the results so far. I found that I didn't have the time, resources, and was not knowledgable enough to take on some huge project. Or maybe it was just managing skills. Then again, it's not all my fault, this was/is a community effort. But as the project leader or whatever obnoxious title I have/had I have failed. But you win some and you lose some. I'd like to thank Rik Van Riel for giving me the chance to try to pull this together. I'd also like to thank some of the people that tried to help pull a web page as well as bug tracking tools, project status, goals tracker, and other various web interfaces for dealing with such a huge project. Whatever time you put in is and was appreciated. slaker slaker@dynup.net Sachmet petek@bsod.net sonoffreak mesmd@rhodes.edu Thanks and sorry(depending). -- Bryan Paxton SecurityPortal, your focal point for security on the net. http://www.securityportal.com/ Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Wed Oct 18 02:30:17 2000 Received: by humbolt.nl.linux.org id ; Wed, 18 Oct 2000 02:28:53 +0200 Received: from praseodumium.btinternet.com ([194.73.73.82]:21646 "EHLO praseodumium.btinternet.com") by humbolt.nl.linux.org with ESMTP id ; Wed, 18 Oct 2000 02:28:25 +0200 Received: from [62.7.4.88] (helo=trinity.local) by praseodumium.btinternet.com with esmtp (Exim 3.03 #83) id 13lh5j-00005s-00 for kernel-audit@nl.linux.org; Wed, 18 Oct 2000 01:28:23 +0100 Received: from neo.local (davej@neo.local [172.16.0.4]) by trinity.local (8.9.3/8.9.3) with ESMTP id BAA04741 for ; Wed, 18 Oct 2000 01:28:22 +0100 From: davej@suse.de Date: Wed, 18 Oct 2000 01:28:14 +0100 (BST) X-Sender: davej@neo.local To: kernel-audit@nl.linux.org Subject: Re: Looking for someone to take over. In-Reply-To: <00101712020202.01027@sQa> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Tue, 17 Oct 2000, Bryan Paxton wrote: > I've put this off long enough, and instead of stamping this project as a dead > beast, I'm querying as to whether there is anyone out there who like to take > over. > Your duties would be nothing but taking over as list owner(for this mailing > list), help developers manage projects, set goals, etc....... I think this project had good intentions, which were unfortunatly satisfied through existing lists/channels. Members of the security-audit list for example occasionally audit parts of the kernel and either report to their own list, or to linux-kernel. I'd like this list to remain, but only if someone actually intends to use it for the purpose it was originally set up for, and not have it turn into a list for "Wouldn't it be cool if we had xxx feature". A lot of people seemed to have missed the point that the idea was not to add _anything_ to the kernel, but to go through checking what we had already, making lists of routines that don't check their input conditions properly, routines that sleep and checking that nothing calls them with a lock held etc etc.. Other ideas: - The sorts of things the Stanford students who posted to Linux Kernel a few months ago. Their tests showed up a _lot_ of places we do bad things. If someone would be prepared to take those results and just confirm that they're still true for the latest kernel, it would be a good start. - Someone even submitted lclint outputs to l-k once which turned up a few previously unnoticed bugs. - Tytso's TODO list still shows a lot of areas that could be classed as auditting. - The sort of things that Arnaldo Carvalho de Melo has been posting umpteen patches to l-k. Mostly things like updating drivers to use newer interfaces. The kernel is still carrying a lot of old backage because of this. And remember, if we kill off the old interface, that's less code that needs auditting. There's no shortage of things that need checking. A lot of this stuff really isn't rocket science, it's about finding easily overlooked things, places where interfaces have changed and callers haven't been updated for example. It shouldn't put people off that they haven't had any of their code accepted for kernel inclusion, or that they don't fully understand everything (or even much of it at all). A lot of newcomers seem overwhelmed by the number of knowledgable people on l-k, and are put off from posting for fear of being wrong, and have a few thousand people notice. But people make mistakes, don't be put off. If you find something that "just doesn't look right", it's better to be wrong, and have everyone know that piece of code is right (and now audited) than leave something which could be incorrect go potentially unnoticed. The only difficulty this projects faces is organisation. I don't think Bryan did a bad job. How should this be organised ? Have a list of files and hope people will say "Ok, I'll take drivers/blah.c and audit it" ? Personally I don't think that's the right approach. We need >1 pair of eyes looking over code, and therefore more than one person could be auditting 1 piece of code at a time. When do we mark something as 'auditted' ? This is the tough one. Without a set of criteria for each auditting operation, this will never be marked as 'auditted'. Criteria could include the things as mentioned above. - Validates input conditions. - Possible race condition. - Possible buffer overflow. - Sleeps with locks held. - Syntactical C errors. etc, etc.. Additional criteria could be added as needed for special cases.. "Makes bad assumption that blah==1" etc.. Only when all conditions are "ok" then the file is marked as "auditted". Upon release of a new kernel patch which changes that file, its "auditted" mark is removed, and the tests should be redone. This could be done using a script that clears any set "auditted flags" from the patched files upon application of a kernel patch. With the goals of this project reconfirmed, maybe someone will show some interest ?? regards, Davej. -- | Dave Jones http://www.suse.de/~davej | SuSE Labs Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Wed Oct 18 13:39:16 2000 Received: by humbolt.nl.linux.org id ; Wed, 18 Oct 2000 13:37:44 +0200 Received: from adsl-78-129-55.mem.bellsouth.net ([216.78.129.55]:13 "EHLO sqa.mine.nu") by humbolt.nl.linux.org with ESMTP id ; Wed, 18 Oct 2000 13:37:21 +0200 Received: from localhost (localhost [[UNIX: localhost]]) by sqa.mine.nu (8.11.0/8.10.1) id e9IBOjn03643 for kernel-audit@nl.linux.org; Wed, 18 Oct 2000 06:24:45 -0500 From: Bryan Paxton Reply-To: bpaxton@securityportal.com To: kernel-audit@nl.linux.org Subject: Re: Looking for someone to take over. Date: Wed, 18 Oct 2000 06:24:45 -0500 X-Mailer: KMail [version 1.1.95.2] Content-Type: text/plain References: In-Reply-To: MIME-Version: 1.0 Message-Id: <00101806244500.03610@sQa> Content-Transfer-Encoding: 8bit Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Tue, 17 Oct 2000, you wrote: > On Tue, 17 Oct 2000, Bryan Paxton wrote: > > I've put this off long enough, and instead of stamping this project as a > > dead beast, I'm querying as to whether there is anyone out there who like > > to take over. > > Your duties would be nothing but taking over as list owner(for this > > mailing list), help developers manage projects, set goals, etc....... > > I think this project had good intentions, which were unfortunatly > satisfied through existing lists/channels. *nod* I agree. > > Members of the security-audit list for example occasionally audit parts of > the kernel and either report to their own list, or to linux-kernel. > > I'd like this list to remain, but only if someone actually intends to use > it for the purpose it was originally set up for, and not have it turn into > a list for "Wouldn't it be cool if we had xxx feature". Yup, and if anyone is still confused about the over all goal they can read my original mission statement here: http://lkap.org/mission.html > > Other ideas: > - The sorts of things the Stanford students who posted to Linux Kernel a > few months ago. Their tests showed up a _lot_ of places we do bad > things. If someone would be prepared to take those results and just > confirm that they're still true for the latest kernel, it would be a > good start. > - Someone even submitted lclint outputs to l-k once which turned up a few > previously unnoticed bugs. > - Tytso's TODO list still shows a lot of areas that could be classed as > auditting. > - The sort of things that Arnaldo Carvalho de Melo has been posting > umpteen patches to l-k. Mostly things like updating drivers > to use newer interfaces. The kernel is still carrying a lot of old > backage because of this. And remember, if we kill off the old > interface, that's less code that needs auditting. > > There's no shortage of things that need checking. hehe, there's probably an overflow of things that need checking : ) On a side note, the first place I'd start is a problem that still exist. The ability to force the insert of kernel modules, even if you're kernel doesn't have support for this. There was a really good white paper on this, and if anyone has the url to it, please let me know. > Have a list of files and hope people will say "Ok, I'll take > drivers/blah.c and audit it" ? Personally I don't think that's the right > approach. We need >1 pair of eyes looking over code, and therefore more > than one person could be auditting 1 piece of code at a time. > I agree, when this first started I tried to setup a list of what to do. Which of course that didn't work. I mean this is free software, how you gonna encourage people to volunteer to work by shoving a list down their throat. And after giving this some though I think I'm going to leave the list "as is" for right now, that is untill a _group_ of people currently very much involved in this project contact me a route of better things. But despite that all that, we'll just see what happens.... -- Bryan Paxton SecurityPortal, your focal point for security on the net. http://www.securityportal.com/ Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/ From owner-kernel-audit@nl.linux.org Tue Oct 24 21:07:02 2000 Received: by humbolt.nl.linux.org id ; Tue, 24 Oct 2000 21:05:34 +0200 Received: from ferret.lmh.ox.ac.uk ([163.1.138.204]:13838 "HELO ferret.lmh.ox.ac.uk") by humbolt.nl.linux.org with SMTP id ; Tue, 24 Oct 2000 21:05:10 +0200 Received: (qmail 9796 invoked by uid 501); 24 Oct 2000 19:05:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Oct 2000 19:05:05 -0000 Date: Tue, 24 Oct 2000 20:05:05 +0100 (BST) From: Chris Evans X-Sender: chris@ferret.lmh.ox.ac.uk To: davej@suse.de cc: kernel-audit@nl.linux.org Subject: Re: Looking for someone to take over. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-kernel-audit@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;kernel-audit-list On Wed, 18 Oct 2000 davej@suse.de wrote: > I think this project had good intentions, which were unfortunatly > satisfied through existing lists/channels. > > Members of the security-audit list for example occasionally audit parts of > the kernel and either report to their own list, or to linux-kernel. This is indeed the case. The signal to noise on security-audit still remains high. The list is security-audit@ferret.lmh.ox.ac.uk. It is ezmlm managed. It is moderated for non-subscribers. I'm sure someone could spark an interesting debate by enquiring what areas of the kernel security-audit members felt would be "interesting" to attack. Cheers Chris Kernel-audit: discussion list for security and the linux kernel Archive: http://mail.nl.linux.org/kernel-audit/