Security WG, December 16, 2022

--- title: "Security WG, December 16, 2022" tags: unikraft, security datetime: 2022-12-16T15:00:00+02:00 location: Online, Discord (https://bit.ly/UnikraftDiscord), the `#monkey-business` voice channel teams: - security participants: - TODO --- ## :dart: Agenda - Discuss "official take on security" of Unikraft as brought up by @nderjung: + Discuss disclosure policy (posted in the Discord chat) + Where to we release security fixes? Obviously staging, but do we want to backport them to stable? That's for post-1.0 releases right? + Should we start taking CVEs? Do we all agree that that's for post-1.0 too? - Status updates from the GH Security Project: https://github.com/orgs/unikraft/projects/32/views/1 + Is there any new project, or any update to the projects listed here? + Are there any technical difficulties with the ongoing work? + Are there any outstanding PRs that require external attention? A review, a merge, or simply - Student projects: clarify scope, as we were missing @razvand in the previous meeting + @Alex Apostolescu: working on randomization support (in concert with @Michalis Pappas) + @Serban Sorohan: ASLR / memory randomization + @Carol Bontas: security assessment / auditing / checking ## :closed_book: Discussions AJ: We would create a `SECURITY.md` file linking to a documentation time. RD: For backporting, we need to first settle on the way versions are managed. This is something left as a future step. HL: Is the idea to have a `staging` and a `stable` branch. AJ: Yes, a reviewed / approved PR will be merged in `staging`. Once integration tests are done, the contribution is passed AJ: I suggest we put this document public. For the security@unikraft.org, Hugo is already part of. MP: I would remove the instructions on receiving swag. ### ASLR SS: I made it work. I was able to make it work on the HL: Coccinelle could be used to learn from PRs / bugs we already fixed. MP: SS's PR creates an entropy pool. MR: You can go into the multiboot code. The shadow stack feature could be activated later. There is no chance for the attacker to do something with it. MR: It's OK to enable it just before main, after the end of the boot process. We can use the standard heap and just use that heap. ## :wrench: TODOs and Decisions HL: I will update the document. Create a page on the `docs` repository.