On Sun, Dec 12, 2004 at 01:57:16PM +0100, Ulf Härnhammar wrote:
> I'm replying to this, since nobody else has.
>
> Quoting "Dafoe, Tim (MBS)" <Tim.Dafoe_at_mbs.gov.on.ca>:
>
> > I'm looking
> > for information regarding proactive efforts (such as those I've seen in
> > other OSS groups) in
> > the Debian project for vulnerability detection, code audit, etc. --
> > including how your auditing
> > team conducts the work (i.e. module by module, according to a schedule, or
> > through some
> > other means) and the frequency of reviews.
>
> We're kind of unorganized, so we don't have any schedules or anything. We've
> been working on setuid and setgid programs a lot, and we've improved the
> situation with such programs in Debian GNU/Linux a lot IMHO. We've also audited
> a bunch of network related programs, and we've done some work on automated
> auditing scripts and programs that interface to several auditing programs at
> once.
I'll have to add that we have also reviewed /tmp symlink attacks and have
been auditing (and fixing) bugs in some software distributed by Debian.
We are currently working in a way to automatically audit all the software
in the Debian archive and publish the results (using several source code
analysis tools, including RATS, Flawfinder and Splint). The main goal is to
build up a system that can automatically extract security metrics of
software as soon as it's put in the archive and publish those security
metrics so that the audit team can concentrace on analysing the software
that is both a) widely used and b) has bad values in the metric score.
This effort is currently stalled, since I have also been working in trying
to make more information publicly available of how the buildd system works
[0]. This system is needed for these automatic audit since preliminary
tests have shown that some of the sources in the current archive need to be
built before they are audited (because of the way the packages have been
designed).
Also part of the work some of the members of the audit team have done is to
have Debian CVE certified [1]. We believe CVE is needed in order to make
sure that Debian has covered in its software the vulnerabilities that have
been detected and fixed by other vendors, and, at the same time, so that
our users can be sure if a given vulnerability has been fixed.
Both members of the security audit team, the Debian Security team and
Debian maintainers are reviewing public security vulnerabilities to make
sure if they affect Debian releases (or not) and cooperating in getting
them fixed. We are constantly reviewing the archive of published security
advisories in order to include CVE references in them. The Security Team is
also cooperating with other vendors that do security audits so that the
software is fixed in Debian.
You could say that Debian is also helped by the security audit teams of
other Linux distributions since all the information is shared openly
between them and they all use the same free software (although Debian might
provide more software than many of them). Not all of this work is visible
through published DSAs, since some of it involves software that has not yet
been released (as part of an official distribution).
As for our priorities regarding audits, Steve Kemp has published those in
the Security-Audit webpages [2].
Since this is a voluntary effort, and a loose group, the people involved
pretty much work in this in their spare time and the group has not decided
in imposing milestones (like say, having all the 'Priority: standard'
packages audited by day X).
HTH
Javier
[0] http://www.debian.org/devel/buildd/
[1] http://www.debian.org/News/2004/20040330
[2] http://www.debian.org/security/audit/packages