Linux developers hunt for kernel bugs

Linux developers have begun an ambitious project to identify security problems with the open source operating system before they trouble end users.

The Linux Kernel Auditing Project is an attempt to audit the Linux kernel for any security holes. The project also aims to educate Linux developers on how to write code securely and thereby stay ahead of crackers in creating a secure operating environment.

Bryan Paxton, who wrote the mission statement for the project, said it was time for a security audit of the Linux kernel and that the process would result in more secure operating system for end users.

"Certain proprietary operating systems sit around, and wait for a security bug to come to them and not go to bug themselves," said Paxton. "Linux kernel developers/hackers are down to earth and pretty logical people, and realise that Linux is not perfect, that a lot of the code they write, submit, and gets plugged into the kernel is not flawless, and more than likely could be improved for security reasons."

The audit will deal with current source code and will not develop additional patches nor add new functions, which might affect or disrupt other parts of the kernel.

Roy Hills, technical director of security testing firm NTA Monitor, praised the move and said it made sense to separate the auditing and fixing functions involved in making an operating system secure.

"Open source operating systems are subject to bugs similar to those that affect proprietary systems, but people in the open source community seem to react quicker to things and are more open about it," he added.

OpenBSD, another Unix-like open source operating system, has been subject to an ongoing security audit since 1996.

Matthew Pemble, former security specialist in the Royal Navy and now at integrator IS Integration, said: "A formal code review, which this project is aiming for, would be a huge undertaking for a big operating system.

"Microsoft operating systems have not been desperately well tested, and because of the ubiquitous nature of that operating system that can have significant consequences."

The Linux Kernel Auditing Project is being undertaken by groups of Linux enthusiasts and developers who will work via a mailing list. The suggested kernels to be audited are 2.0.x kernel series, 2.2.x kernel series and the 2.3.x/2.4.x kernel series.

To subscribe to the project's mailing list, send a message with the body text 'subscribe kernel-audit' to majordomo@nl.linux.org