5181535 2000-06-10 09:04 /88 rader/ Postmaster
Mottagare: Bugtraq (import) <11238>
Ärende: Mission statement for LKAP(Linux Kernel Auditing Project)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Content-Type: text/plain
MIME-Version: 1.0
Message-ID: <00060900513906.01508@sQa.speedbros.org>
Date: Fri, 9 Jun 2000 00:43:30 -0500
Reply-To: evil7@bellsouth.net
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Bryan Paxton <evil7@bellsouth.net>
X-To: securedistros@nl.linux.org, security-audit@ferret.lmh.ox.ac.uk
lwn@lwn.net, linux-security@redhat.com
seifried@securityportal.com
X-cc: kernel-audit@nl.linux.org, kernelnewbies@humbolt.nl.linux.org
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id JAA15218
######################### kernel auditing project ###########################
This is a mission statement for a project under way and ready to get
going. The Linux kernel auditing project(LKAP).
The purpose of this project is self-explanatory. It's an attempt to
audit the linux kernel for any security vulnerabilities and/or holes
and/or possible vulnerabilities and/or possible holes, and of course
without adding more bugs or drawbacks to the existing kernels. The
suggested kernels to be audited are 2.0.x kernel series , 2.2.x
kernel series, and the 2.3.x/2.4.x kernel series. The group and it's
work shall be dealt and worked with via a mailing list.
How to subscribe:
echo subscribe kernel-audit | mail majordomo@nl.linux.org
I feel that this project should have been done a long time ago, not
to imply that the linux kernel is insecure, but for example the
setuid() hole found on June 7 which affected all 2.2.x kernels. This
bug was patched in a matter of hours (isn't open source great!). But
here's the point, the flaw/function/hole should _NOT_ have existed
in the first place. Which is where this project comes into place.
There's a few things that differ from this project compared to a
few others that are similar.
1) To audit the kernel src code without affecting/breaking/disrupting
any other part of the kernel. These will not be additional patches
you can downloads (add-ons). This auditing is dealing with the
current code in the src, not adding or implementing new functions.
2) To educate kernel developers/hackers on how to securely write
code. It is my hopes that kernel developers/hackers new and old will
subscribe and post to this mailing list with questions and share
information, and to simply get help with their code(e.g.: Could this
function() cause a possible security hole or lead to an exploit ?"),
this is the true power of open source and GNU/Linux
3) To be ahead of the game... A perfect example of this are certain
proprietary Operating Systems who sit around and wait for a security
bug to come to them and not go to bug themselves. Of course this
needs no explanation as to why this never works. I feel that kernel
developers/hackers are down to earth and pretty logical people and
realize that Linux is _NOT_ perfect, that a lot of the code they
write, submit, and gets plugged into the kernel is not flawless and
more than likely could be improved for security reasons.
4) To provide an operating system to the public. I want to see a
linux where the sysadmin doesn't have to watch his back all the time
in fear of say some new knfsd exploit or a way to fork()bomb his/her
router via a simple mistake in buffer.c
5) To provide a safe linux to the end-user.. Linux is slowly but
surely becoming a choice for the desktop user. Most of these users
are walking into linux with no knowledge of what potential dangers
lie at their finger tips and in their hard drive. Linux has proven
to be one of the most secure operating systems, but I feel as linux
becomes more popular with the general public this will change, that
more kernel security holes and exploits will arise from nowhere and
give us a very unpleasant reality check.
And at last, this will be no easy project, security auditing never
is. It takes man power, skill, and just plain aching time. But I
believe if the community of gets together on this one, nothing will
stop us and Linux will go on to become the #1 security wise
operating system to do this date.
Sincerely
Bryan Paxton
How to subscribe:
echo subscribe kernel-audit | mail majordomo@nl.linux.org
(5181535) ------------------------------------------(Ombruten)