Slashdot Mirror

← Back to Stories (view on slashdot.org)

DARPA-Funded Linux Security Hub Withers

Posted by michael on from the unglamorous-work dept.

mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."

4 of 281 comments (clear)

  1. Re:Classic misdirection by Introspective · · Score: 5, Informative

    I don't think so. The NSA released SELinux as source code, it has been reviewed by many people and adopted into the 2.6 kernel. It would be rather difficult to sneak in "hundreds if not thousands of pre-programmed exploits" into the Linux kernel.

    Check the FAQ

  2. Too low profile by adamsc · · Score: 4, Informative

    I follow the security community pretty closely, monitor a fair number of techie news sites and otherwise try to stay aware of this sort of thing. The first I heard of the project was this story - I must have missed it the last time it was mentioned two years ago. Not many sites linked to sardonix.org after the initial news stories, either.

  3. Re:Classic misdirection by Muggins+the+Mad · · Score: 3, Informative
    So you assert that SELinux fixes trivial security issues...
    I never asserted anything of the kind. SELinux is about implementing access control, which has little if anthing to do with enhancing the kind of security being discussed here, i.e., getting root.

    But access control is very much related to stopping exploits. A good set of access controls (SELinux or LIDS or RSBAC or the like) means that when, say, apache gets exploited, the attacker can't do any real damage and certainly can't fork a command shell.

    It means that when your mail client gets exploited through an attachment type hole, the executed attachment can't access your address book or send mail itself. All good stuff.

    It also means that very few programs need to be run as root thus providing even fewer avenues for the attacker to use.

    - Muggins the Mad
  4. Re:Let's be honest by Mysteray · · Score: 3, Informative

    What the AC in post #8154783 seemed to be trying to say is that the leader of the OpenBSD project turned off network-accessible services in the default install, is not forthcoming with the details of these security-related modifications, and acts in a self-promotional manner.

    I don't actually agree with this characterization of OpenBSD; I'm simply trying to provide a translation for the curious. I don't think the AC is using stunningly effective debate technique, either.