[kernel-hardening] Secure Open Source Project Guide

[kernel-hardening] Secure Open Source Project Guide

[Corey Bryant]

In light of events like this http://lwn.net/Articles/535149/ "China, 
GitHub and the man-in-the-middle (Greatfire)", we are thinking that a 
guide for securing open source projects is needed.  For example, 
recommending pull requests or commits be PGP signed are a few things 
we've discussed that could defend against a MITM attack inserting 
malicious code.

Does anyone have any thoughts as to where we could publish such a guide? 
  Perhaps the Linux Foundation?

I believe we have the resources on this mailing list to work through the 
details and put together a succinct guide that we could take to a wider 
audience.

-- 
Regards,
Corey Bryant

Re: [kernel-hardening] Secure Open Source Project Guide

[Kees Cook]

On Thu, Jan 31, 2013 at 7:34 AM, Corey Bryant <coreyb@linux.vnet.ibm.com> wrote:
> In light of events like this http://lwn.net/Articles/535149/ "China, GitHub
> and the man-in-the-middle (Greatfire)", we are thinking that a guide for
> securing open source projects is needed.  For example, recommending pull
> requests or commits be PGP signed are a few things we've discussed that
> could defend against a MITM attack inserting malicious code.
>
> Does anyone have any thoughts as to where we could publish such a guide?
> Perhaps the Linux Foundation?
>
> I believe we have the resources on this mailing list to work through the
> details and put together a succinct guide that we could take to a wider
> audience.

Yeah, sounds good. I think we could easily use the kernel-security
wiki to work on it initially, and if it needs a different home in the
end, we can move it then.

-Kees

--
Kees Cook
Chrome OS Security

Re: [kernel-hardening] Secure Open Source Project Guide

[Anthony Liguori]

Kees Cook <keescook@chromium.org> writes:

> On Thu, Jan 31, 2013 at 7:34 AM, Corey Bryant <coreyb@linux.vnet.ibm.com> wrote:
>> In light of events like this http://lwn.net/Articles/535149/ "China, GitHub
>> and the man-in-the-middle (Greatfire)", we are thinking that a guide for
>> securing open source projects is needed.  For example, recommending pull
>> requests or commits be PGP signed are a few things we've discussed that
>> could defend against a MITM attack inserting malicious code.
>>
>> Does anyone have any thoughts as to where we could publish such a guide?
>> Perhaps the Linux Foundation?
>>
>> I believe we have the resources on this mailing list to work through the
>> details and put together a succinct guide that we could take to a wider
>> audience.
>
> Yeah, sounds good. I think we could easily use the kernel-security
> wiki to work on it initially, and if it needs a different home in the
> end, we can move it then.

If someone picks a home, I'll do a brain dump of some of my concerns and
what I think can be done about it.

Regards,

Anthony Liguori

>
> -Kees
>
> --
> Kees Cook
> Chrome OS Security

Re: [kernel-hardening] Secure Open Source Project Guide

[Corey Bryant]

On 01/31/2013 01:37 PM, Kees Cook wrote:
> On Thu, Jan 31, 2013 at 7:34 AM, Corey Bryant <coreyb@linux.vnet.ibm.com> wrote:
>> In light of events like this http://lwn.net/Articles/535149/ "China, GitHub
>> and the man-in-the-middle (Greatfire)", we are thinking that a guide for
>> securing open source projects is needed.  For example, recommending pull
>> requests or commits be PGP signed are a few things we've discussed that
>> could defend against a MITM attack inserting malicious code.
>>
>> Does anyone have any thoughts as to where we could publish such a guide?
>> Perhaps the Linux Foundation?
>>
>> I believe we have the resources on this mailing list to work through the
>> details and put together a succinct guide that we could take to a wider
>> audience.
>
> Yeah, sounds good. I think we could easily use the kernel-security
> wiki to work on it initially, and if it needs a different home in the
> end, we can move it then.
>
> -Kees
>
> --
> Kees Cook
> Chrome OS Security
>
>
>

Does it make sense to get everyone edit access to the wiki?  If not I 
can set up a page for it and get input from folks here on the mailing 
list as it progresses and update the wiki myself.

We should probably start by gathering a list of ideas to include in the 
guide.  Some initial ideas that come to mind are:

* Secure programming practices (Secure "Programming for Linux
   and Unix HOWTO" is a good reference for Linux though probably
   out of date)
* Performing secure code reviews and detecting common
   vulnerabilities
* Ensuring code is reviewed by trusted parties and proper patch
   tagging is used
* Signing of releases, pull requests, patches, commits, etc by
   trusted parties
* Removing vulnerabilities with automated tooling (Static/Dynamic
   analysis, Fuzzing)

Any thoughts?

-- 
Regards,
Corey Bryant

Re: [kernel-hardening] Secure Open Source Project Guide

[Peter Huewe]

Hi, 
> We should probably start by gathering a list of ideas to include in the
> guide.  Some initial ideas that come to mind are:
> 
> * Secure programming practices (Secure "Programming for Linux
>    and Unix HOWTO" is a good reference for Linux though probably
>    out of date)
> * Performing secure code reviews and detecting common
>    vulnerabilities
> * Ensuring code is reviewed by trusted parties and proper patch
>    tagging is used
> * Signing of releases, pull requests, patches, commits, etc by
>    trusted parties
> * Removing vulnerabilities with automated tooling (Static/Dynamic
>    analysis, Fuzzing)
> 
> Any thoughts?

I'd definitely add
* creating semantic patches out of the secure coding reviews / common 
vulnerabilities with coccinelle/spatch.
(Usually the same bugs happen over and over again - see e.g. the CWE list ;)

I know this goes into the direction of your last point, but is not that 
trivial to use like e.g. spatch but on the other hand provides "automatic" 
fixing.

Just my two cents.

PeterH

Re: [kernel-hardening] Secure Open Source Project Guide

[Solar Designer]

Corey, Kees, all -

Why don't we bring this to the oss-security mailing list?  I think this
topic is not in any way specific nor limited to the Linux kernel.  There
are ~10x more people on oss-security than on kernel-hardening, and this
topic is a better fit for oss-security than for kernel-hardening.  There
is a wiki for the oss-security group, where such content is welcome.
Anyone can register for an account and edit.

Info on the oss-security mailing list:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Subscribe here:

http://oss-security.openwall.org/subscribe

(Of course, Kees and many others in here are already on oss-security as
well.  Not all, though.)

On Thu, Jan 31, 2013 at 04:10:03PM -0500, Corey Bryant wrote:
> We should probably start by gathering a list of ideas to include in the 
> guide.  Some initial ideas that come to mind are:
> 
> * Secure programming practices (Secure "Programming for Linux
>   and Unix HOWTO" is a good reference for Linux though probably
>   out of date)

CERT's Secure Coding resources are more current, but they're focused on
programming languages and I think they don't cover operating system
specific pitfalls (e.g., Linux netlink).

> * Performing secure code reviews and detecting common
>   vulnerabilities
> * Ensuring code is reviewed by trusted parties and proper patch
>   tagging is used
> * Signing of releases, pull requests, patches, commits, etc by
>   trusted parties
> * Removing vulnerabilities with automated tooling (Static/Dynamic
>   analysis, Fuzzing)

We have some relevant links here:

http://oss-security.openwall.org/wiki/

and more specifically:

http://oss-security.openwall.org/wiki/tools
http://oss-security.openwall.org/wiki/links
http://oss-security.openwall.org/wiki/code-reviews

More content (and better organization of content) on the oss-security
wiki is welcome - including on all topics you listed above.

Thanks,

Alexander

Re: [kernel-hardening] Secure Open Source Project Guide

[Corey Bryant]

On 01/31/2013 02:30 PM, Anthony Liguori wrote:
> Kees Cook <keescook@chromium.org> writes:
>
>> On Thu, Jan 31, 2013 at 7:34 AM, Corey Bryant <coreyb@linux.vnet.ibm.com> wrote:
>>> In light of events like this http://lwn.net/Articles/535149/ "China, GitHub
>>> and the man-in-the-middle (Greatfire)", we are thinking that a guide for
>>> securing open source projects is needed.  For example, recommending pull
>>> requests or commits be PGP signed are a few things we've discussed that
>>> could defend against a MITM attack inserting malicious code.
>>>
>>> Does anyone have any thoughts as to where we could publish such a guide?
>>> Perhaps the Linux Foundation?
>>>
>>> I believe we have the resources on this mailing list to work through the
>>> details and put together a succinct guide that we could take to a wider
>>> audience.
>>
>> Yeah, sounds good. I think we could easily use the kernel-security
>> wiki to work on it initially, and if it needs a different home in the
>> end, we can move it then.
>
> If someone picks a home, I'll do a brain dump of some of my concerns and
> what I think can be done about it.
>
> Regards,
>
> Anthony Liguori
>

That would be great.  Thanks Anthony.

-- 
Regards,
Corey Bryant

>>
>> -Kees
>>
>> --
>> Kees Cook
>> Chrome OS Security
>
>
>

Re: [kernel-hardening] Secure Open Source Project Guide

[Corey Bryant]

On 01/31/2013 06:18 PM, Peter Huewe wrote:
> Hi,
>> We should probably start by gathering a list of ideas to include in the
>> guide.  Some initial ideas that come to mind are:
>>
>> * Secure programming practices (Secure "Programming for Linux
>>     and Unix HOWTO" is a good reference for Linux though probably
>>     out of date)
>> * Performing secure code reviews and detecting common
>>     vulnerabilities
>> * Ensuring code is reviewed by trusted parties and proper patch
>>     tagging is used
>> * Signing of releases, pull requests, patches, commits, etc by
>>     trusted parties
>> * Removing vulnerabilities with automated tooling (Static/Dynamic
>>     analysis, Fuzzing)
>>
>> Any thoughts?
>
> I'd definitely add
> * creating semantic patches out of the secure coding reviews / common
> vulnerabilities with coccinelle/spatch.
> (Usually the same bugs happen over and over again - see e.g. the CWE list ;)
>
> I know this goes into the direction of your last point, but is not that
> trivial to use like e.g. spatch but on the other hand provides "automatic"
> fixing.
>
> Just my two cents.
>
> PeterH
>
>

Thanks for the input.  Automated patching with Coccinelle and the like, 
and pointers to get folks started with these tools would be a great 
addition.

-- 
Regards,
Corey Bryant

Re: [kernel-hardening] Secure Open Source Project Guide

[Corey Bryant]

On 02/01/2013 09:17 AM, Solar Designer wrote:
> Corey, Kees, all -
>
> Why don't we bring this to the oss-security mailing list?  I think this
> topic is not in any way specific nor limited to the Linux kernel.  There
> are ~10x more people on oss-security than on kernel-hardening, and this
> topic is a better fit for oss-security than for kernel-hardening.  There
> is a wiki for the oss-security group, where such content is welcome.
> Anyone can register for an account and edit.
>
> Info on the oss-security mailing list:
>
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security
>
> Subscribe here:
>
> http://oss-security.openwall.org/subscribe
>
> (Of course, Kees and many others in here are already on oss-security as
> well.  Not all, though.)
>
> On Thu, Jan 31, 2013 at 04:10:03PM -0500, Corey Bryant wrote:
>> We should probably start by gathering a list of ideas to include in the
>> guide.  Some initial ideas that come to mind are:
>>
>> * Secure programming practices (Secure "Programming for Linux
>>    and Unix HOWTO" is a good reference for Linux though probably
>>    out of date)
>
> CERT's Secure Coding resources are more current, but they're focused on
> programming languages and I think they don't cover operating system
> specific pitfalls (e.g., Linux netlink).
>
>> * Performing secure code reviews and detecting common
>>    vulnerabilities
>> * Ensuring code is reviewed by trusted parties and proper patch
>>    tagging is used
>> * Signing of releases, pull requests, patches, commits, etc by
>>    trusted parties
>> * Removing vulnerabilities with automated tooling (Static/Dynamic
>>    analysis, Fuzzing)
>
> We have some relevant links here:
>
> http://oss-security.openwall.org/wiki/
>
> and more specifically:
>
> http://oss-security.openwall.org/wiki/tools
> http://oss-security.openwall.org/wiki/links
> http://oss-security.openwall.org/wiki/code-reviews
>
> More content (and better organization of content) on the oss-security
> wiki is welcome - including on all topics you listed above.
>
> Thanks,
>
> Alexander
>
>

Thanks Alexander.  I agree, this really is targeting OSS in general so I 
think it makes sense to move to the oss-security mailing list and wiki. 
  Is anyone opposed to this or have a better idea?

And maybe we can find a good place to link to our Linux Security 
Workgroup wiki on the OSS wiki: 
http://kernsec.org/wiki/index.php/Linux_Security_Workgroup

-- 
Regards,
Corey Bryant

Re: [kernel-hardening] Secure Open Source Project Guide

[Solar Designer]

On Fri, Feb 01, 2013 at 09:41:55AM -0500, Corey Bryant wrote:
> Thanks Alexander.  I agree, this really is targeting OSS in general so I 
> think it makes sense to move to the oss-security mailing list and wiki. 
>  Is anyone opposed to this or have a better idea?
> 
> And maybe we can find a good place to link to our Linux Security 
> Workgroup wiki on the OSS wiki: 
> http://kernsec.org/wiki/index.php/Linux_Security_Workgroup

For now, we can add it to:

http://oss-security.openwall.org/wiki/links

Please feel free to do that.  And yes, maybe we can find/add a better
place for links to closely related projects maintained by people who are
also active in the oss-security group.  Maybe have a Related Projects
section right on the main oss-security wiki page?

Alexander

Re: [kernel-hardening] Secure Open Source Project Guide

[Corey Bryant]

On 01/31/2013 02:30 PM, Anthony Liguori wrote:
> Kees Cook <keescook@chromium.org> writes:
>
>> On Thu, Jan 31, 2013 at 7:34 AM, Corey Bryant <coreyb@linux.vnet.ibm.com> wrote:
>>> In light of events like this http://lwn.net/Articles/535149/ "China, GitHub
>>> and the man-in-the-middle (Greatfire)", we are thinking that a guide for
>>> securing open source projects is needed.  For example, recommending pull
>>> requests or commits be PGP signed are a few things we've discussed that
>>> could defend against a MITM attack inserting malicious code.
>>>
>>> Does anyone have any thoughts as to where we could publish such a guide?
>>> Perhaps the Linux Foundation?
>>>
>>> I believe we have the resources on this mailing list to work through the
>>> details and put together a succinct guide that we could take to a wider
>>> audience.
>>
>> Yeah, sounds good. I think we could easily use the kernel-security
>> wiki to work on it initially, and if it needs a different home in the
>> end, we can move it then.
>
> If someone picks a home, I'll do a brain dump of some of my concerns and
> what I think can be done about it.
>
> Regards,
>
> Anthony Liguori
>

I haven't heard any objections to using the oss-security wiki to host 
the guide, so I've created a page here.  A brain dump would be a much 
appreciated start to get things moving.  Thanks!

http://oss-security.openwall.org/wiki/secure-oss-dev-guide

-- 
Regards,
Corey Bryant

>>
>> -Kees
>>
>> --
>> Kees Cook
>> Chrome OS Security
>
>
>

Re: [kernel-hardening] Secure Open Source Project Guide

[Corey Bryant]

On 02/01/2013 10:08 AM, Solar Designer wrote:
> On Fri, Feb 01, 2013 at 09:41:55AM -0500, Corey Bryant wrote:
>> Thanks Alexander.  I agree, this really is targeting OSS in general so I
>> think it makes sense to move to the oss-security mailing list and wiki.
>>   Is anyone opposed to this or have a better idea?
>>
>> And maybe we can find a good place to link to our Linux Security
>> Workgroup wiki on the OSS wiki:
>> http://kernsec.org/wiki/index.php/Linux_Security_Workgroup
>
> For now, we can add it to:
>
> http://oss-security.openwall.org/wiki/links

Thanks, I've added a link here.

>
> Please feel free to do that.  And yes, maybe we can find/add a better
> place for links to closely related projects maintained by people who are
> also active in the oss-security group.  Maybe have a Related Projects
> section right on the main oss-security wiki page?

Yeah that might be a good way to organize related projects rather than 
throwing them on a links page.

>
> Alexander
>

-- 
Regards,
Corey Bryant

Re: [kernel-hardening] Secure Open Source Project Guide

[Solar Designer]

On Tue, Feb 05, 2013 at 01:34:18PM -0500, Corey Bryant wrote:
> I haven't heard any objections to using the oss-security wiki to host 
> the guide, so I've created a page here.  A brain dump would be a much 
> appreciated start to get things moving.  Thanks!
> 
> http://oss-security.openwall.org/wiki/secure-oss-dev-guide

This is a good start, although I'd call the page "development",
"development-guide", "secure-development", or maybe even
"secure-development-guide" for search engine friendliness. ;-)
We already have "oss" and "security" in the URL anyway, so the
non-redundant words are only "development" and "guide" (can omit the
latter since it's less informative). ;-)

On a more serious note, I think you need to announce this on the
oss-security mailing list.

Thanks,

Alexander

Re: [kernel-hardening] Secure Open Source Project Guide

[Shawn]

hi security guys,

On Fri, Feb 1, 2013 at 11:08 PM, Solar Designer <solar@openwall.com> wrote:
>
> On Fri, Feb 01, 2013 at 09:41:55AM -0500, Corey Bryant wrote:
> > Thanks Alexander.  I agree, this really is targeting OSS in general so I
> > think it makes sense to move to the oss-security mailing list and wiki.
> >  Is anyone opposed to this or have a better idea?
> >
> > And maybe we can find a good place to link to our Linux Security
> > Workgroup wiki on the OSS wiki:
> > http://kernsec.org/wiki/index.php/Linux_Security_Workgroup
>
> For now, we can add it to:
>
> http://oss-security.openwall.org/wiki/links
>
> Please feel free to do that.  And yes, maybe we can find/add a better
> place for links to closely related projects maintained by people who are
> also active in the oss-security group.  Maybe have a Related Projects
> section right on the main oss-security wiki page?
>
I'm newbie in security field and I putted one article about open
source security stuff in QA process on the wiki page. Hope it matched
the correct topic! If it does bothers, please free feel to delete it.


--
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn