Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 03 Oct 2012 17:59:35 -0400
From: Corey Bryant <>
To:, Kees Cook <>,
        James Morris <>
CC: Julia Lawall <>, Theodore Tso <>,
        Paul Moore <>, Eric Paris <>,
        Tyler Hicks <>,,, Dan Carpenter <>,
        Fengguang Wu <>
Subject: Re: Re: Linux Security Workgroup

On 10/02/2012 06:17 PM, Kees Cook wrote:
> On Tue, Oct 2, 2012 at 9:44 AM, Corey Bryant <> wrote:
>> On 10/02/2012 12:23 PM, Kees Cook wrote:
>>> On Thu, Sep 27, 2012 at 12:26 PM, Corey Bryant
>>> <> wrote:
>>>> At the Linux Security Summit we began discussing the Linux Security
>>>> Workgroup and some of the efforts that we can focus on.
>>>> The charter of the workgroup is to provide on-going security
>>>> verification of Linux kernel subsystems in order to assist in securing
>>>> the
>>>> Linux Kernel and maintain trust and confidence in the security of the
>>>> Linux
>>>> ecosystem.
>>>> This may include, but is not limited to, topics such as tooling to assist
>>>> in
>>>> securing the Linux Kernel, verification and testing of critical
>>>> subsystems
>>>> for vulnerabilities, security improvements for build tools, and providing
>>>> guidance for maintaining subsystem security.
>>> Thanks for getting this rolling!
>>> What are the next steps? Does it make sense to try to gather a list of
>>> active projects to try and see where things currently stand? (i.e who
>>> is actively running smatch, trinity, etc?) Or to call attention to a
>>> specific subsystem that needs direct auditing (e.g. KVM)?
>>> -Kees
>> No problem, thanks for the input!
>> I think having a list of active projects is a good place to start.
> I know Dan Carpenter is running smatch, as well as Fengguang Wu.
> Getting details on which trees are being scanned would be good.
> I know Fengguang Wu is running trinity too.
> There is a collection of coccinelle scripts in the tree, but I'm not
> sure if/when those are getting run by anyone. Julia, do you know if
> those are being regularly run?

Great, thanks for the info.

>> Perhaps we can also add desired projects to this list, and if anyone has
>> cycles to cover a project they can put their name to the project.
> I was keeping a list of potential hardening work here:
> some of it is out of date.

Ok so I guess it doesn't make sense to re-invent these details on 
another wiki.  Although in the long run it may be nice to have 
everything in one place (active projects and desired projects).

>> I'm personally trying to get time allocated to work on KVM fuzzing and/or
>> static analysis in 2013.
> Sounds good.
>> A wiki probably makes sense for the list.  Google sites has wikis.  I can
>> start one there unless there are other ideas.
> hosts wikis as well, and James Morris already has
> Perhaps we can use that? James, would this be
> something you'd be okay with?

That sounds good to me if it's okay with James.

Corey Bryant

> Thanks,
> -Kees

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.