With the support of the Alpha-Omega grant FreeBSD will undertake code audits of two important subsystems - the bhyve hypervisor, and the Capsicum sandboxing framework. In addition to uncovering vulnerabilities in these systems to redress, the audits will look to identify classes of vulnerabilities and/or suboptimal coding practices that we can look for across the project and incorporate learnings from into our Committer training and onboarding.
We will also undertake a process audit to similarly improve the way FreeBSD is developed. Work on this has not started.
Finally, we will pursue an MFA pilot to determine the best options to provide to our community and how to best communicate the options in order to achieve ubiquitous use across the community. The Foundation has also been laying the groundwork for MFA through some initial work on SSO.
In the past month, we have reached out to several code audit firms, interviewed two, and in the past week selected the one we will partner with.
Bhyve is FreeBSD's type 2 hypervisor. It has been ported to Illumos and is the basis for a macOS port called xhyve. Bhyve supports many guest operating systems, including FreeBSD, OpenBSD, NetBSD, Linux, Illumos, and Windows. We are interested in vulnerabilities in the kernel vmm code as well as userspace device models.
FreeBSD provides Capsicum, a lightweight OS capability and sandbox framework. There are a limited set of system calls available within a Capsicum sandbox, and certain system calls allow only limited or restricted operations. We are interested in finding vulnerabilities in code reachable from a process in capability mode that leads to privilege escalation or access to resources that should not be permitted within the sandbox. We are primarily interested in kernel vulnerabilities, although Capsicum helper services may also be included.
The high-level objectives of the code audits are:
- Reviewing the source code to identify errors and potential security vulnerabilities.
- Employing static code analysis tools if appropriate to detect coding errors and security weaknesses.
- Assessing the implementation of security controls and best practices within the source code.
- Analyzing the subsystem's interactions with other system components to identify potential security risks.
- Providing recommendations for remediation and mitigation of identified vulnerabilities.
- Delivering a detailed report documenting findings, including an executive summary, technical analysis, and recommendations for improving the security of the subsystem.
- To provide precise recommendations and a pragmatic action plan adapted to The FreeBSD Foundation's situation
In preparation for the code audits, the Foundation has started reviewing existing static analysis reports from Coverity Scan affecting the code in question.