This looks to be a serious abstract / paper ;-) - Silvio --------------------------- ABSTRACT --> -------- The experiences of manual security auditing popular open-source operating system kernels. The Linux, FreeBSD, OpenBSD, and NetBSD operating systems are audited from a perspective of [language] implementation bugs. Methods of exploitation are developed and demonstrated against relevant bug classes. The authors contact with vendors is also discussed, raising the politics of vulnerabilities. BIOGRAPHY --> --------- [ to be filled in ] ABSTRACT (longer version) --> ------------------------- For a period of up to 3 months in 2002, a part-time manual security audit of the operating system kernels in Linux, FreeBSD, OpenBSD, and NetBSD was conducted. The aims of audit were to examine the available source code, under the presumption of language implementation bugs. Thus classic programming bugs, prevalent in the implementation language [C], exemplified in integer overflows, type casting, incorrect input validation and buffer overflows etc were expected. The initial introduction to auditing examined easily accessible entry points into the kernel including the file system and the device layer. This continued to an increased coverage and scope of auditing. From this work, identification of conjectured prevalent bug classes was possible. These results are in favour of the initial expectations; that bugs would be that in line of classical language bugs. The results of this audit are surprising; a large [more than naively expected] number of vulnerabilities were discovered. A technical summary of these vulnerabilities will be treated in detail. Bug classes and [conjectured] less secure specific subsystems in the kernel will be identified. These conjectures support the the research of Dawson Engler's work in automated bug discovery in application to open-source kernel auditing. Vulnerabilities after bug categorisation, are applied in the treatment of exploitation. The results are again surprising; exploitation sometimes being trivial, and primarily being highly reliable. The assumptions of exploitation difficulty, is conjectured to be a false belief due to lack of any serious focus on kernel auditing prior to this paper. This conjecture is supported by in-line documentation of kernel sources indicative of immediate security flaws. Attack vectors are identified as a generalisation of bug classes. Risk management is touched upon to reduce the scope of attack, but is not the primary purpose of this paper. Discussion is finally that of vendor contact, and the associated politics of vulnerabilities. First hand reports of acknowledgement times, problem resolution times and public dissemination policies are presented in candid. The author may be biased at this point, but it appears that in during this audit period, open-source holds up to the promise of security concern and responsibility in its community. Problem acknowledgement in at least one of the the cases presented is perhaps the fastest in documented history (less than three minutes). The majority of the vulnerabilities discovered during the audit, were resolved and patched in co-operation with the open-source developers and community responsible for each respective operating system. A very large thanks must go to Alan Cox, Solar Designer and later followed by Dave Miller who made enormous efforts to continually resolve all issues uncovered. -- Silvio