Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Oct 2012 07:38:31 +0200 (CEST)
From: Julia Lawall <>
To: Kees Cook <>
cc: Corey Bryant <>, 
    Julia Lawall <>,, 
    James Morris <>, Theodore Tso <>, 
    Paul Moore <>, Eric Paris <>, 
    Tyler Hicks <>,,, Dan Carpenter <>, 
    Fengguang Wu <>
Subject: Re: Linux Security Workgroup

On Tue, 2 Oct 2012, Kees Cook wrote:

> On Tue, Oct 2, 2012 at 9:44 AM, Corey Bryant <> wrote:
>> On 10/02/2012 12:23 PM, Kees Cook wrote:
>>> On Thu, Sep 27, 2012 at 12:26 PM, Corey Bryant
>>> <> wrote:
>>>> At the Linux Security Summit we began discussing the Linux Security
>>>> Workgroup and some of the efforts that we can focus on.
>>>> The charter of the workgroup is to provide on-going security
>>>> verification of Linux kernel subsystems in order to assist in securing
>>>> the
>>>> Linux Kernel and maintain trust and confidence in the security of the
>>>> Linux
>>>> ecosystem.
>>>> This may include, but is not limited to, topics such as tooling to assist
>>>> in
>>>> securing the Linux Kernel, verification and testing of critical
>>>> subsystems
>>>> for vulnerabilities, security improvements for build tools, and providing
>>>> guidance for maintaining subsystem security.
>>> Thanks for getting this rolling!
>>> What are the next steps? Does it make sense to try to gather a list of
>>> active projects to try and see where things currently stand? (i.e who
>>> is actively running smatch, trinity, etc?) Or to call attention to a
>>> specific subsystem that needs direct auditing (e.g. KVM)?
>>> -Kees
>> No problem, thanks for the input!
>> I think having a list of active projects is a good place to start.
> I know Dan Carpenter is running smatch, as well as Fengguang Wu.
> Getting details on which trees are being scanned would be good.
> I know Fengguang Wu is running trinity too.
> There is a collection of coccinelle scripts in the tree, but I'm not
> sure if/when those are getting run by anyone. Julia, do you know if
> those are being regularly run?

Fengguang Wu runs at least some of them as well.

Artem Bityutskiy also runs them on the patces he receives (aiaiai).


>> Perhaps we can also add desired projects to this list, and if anyone has
>> cycles to cover a project they can put their name to the project.
> I was keeping a list of potential hardening work here:
> some of it is out of date.
>> I'm personally trying to get time allocated to work on KVM fuzzing and/or
>> static analysis in 2013.
> Sounds good.
>> A wiki probably makes sense for the list.  Google sites has wikis.  I can
>> start one there unless there are other ideas.
> hosts wikis as well, and James Morris already has
> Perhaps we can use that? James, would this be
> something you'd be okay with?
> Thanks,
> -Kees
> -- 
> Kees Cook
> Chrome OS Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.