By John Leyden, VNU Net
Linux developers have begun an ambitious project to identify
security problems with the open source operating system before they
trouble end users.
The Linux Kernel Auditing Project is an attempt to audit the
Linux kernel for any security holes. The project also aims to
educate Linux developers on how to write code securely and thereby
stay ahead of crackers in creating a secure operating
environment.
Bryan Paxton, who wrote the mission statement for the project,
said it was time for a security audit of the Linux kernel and that
the process would result in more secure operating system for end
users.
“Certain proprietary operating systems sit around, and wait for
a security bug to come to them and not go to bug themselves,” said
Paxton. “Linux kernel developers/hackers are down to earth and
pretty logical people, and realise that Linux is not perfect, that
a lot of the code they write, submit, and gets plugged into the
kernel is not flawless, and more than likely could be improved for
security reasons.”
The audit will deal with current source code and will not
develop additional patches nor add new functions, which might
affect or disrupt other parts of the kernel.
Roy Hills, technical director of security testing firm NTA
Monitor, praised the move and said it made sense to separate the
auditing and fixing functions involved in making an operating
system secure.
“This is the first time I’ve heard of an audit of the whole of a
general purpose operating system kernel,” said Hills, who added
that rigorous audits have traditionally only been applied to
hardened operating systems used by the military.
“Open source operating systems are subject to bugs similar to
those that affect proprietary systems, but people in the open
source community seem to react quicker to things and are more open
about it,” he added.
Matthew Pemble, former security specialist in the Royal Navy and
now at integrator IS Integration, said: “A formal code review,
which this project is aiming for, would be a huge undertaking for a
big operating system.
“Microsoft operating systems have not been desperately well
tested, and because of the ubiquitous nature of that operating
system that can have significant consequences.”
The Linux Kernel Auditing Project is being undertaken by groups
of Linux enthusiasts and developers who will work via a mailing
list. The suggested kernels to be audited are 2.0.x kernel series,
2.2.x kernel series and the 2.3.x/2.4.x kernel series.
To subscribe to the project’s mailing list, send a message with
the body text ‘subscribe kernel-audit’ to majordomo@nl.linux.org