FreeBSD is undertaking one main project -- a code audit of two significant subsystems (the Bhyve hypervisor, and the Capsicum sandboxing framework) -- and two minor ones (an MFA pilot and an initial process audit).
The code audits are progressing to plan and producing useful insights into areas for improvement. Bhyve code audit is complete, and Capsicum code audit is underway.
To support the smooth running of the program, the FreeBSD Foundation has appointed a Program Manager, Alice Sowerby, to oversee the program and its projects. Alice is an experienced operational leader, active in the open source space with several LF projects (TODO Group, CHAOSS, OpenChain) and has previously held leadership roles at Equinix, Packet, and DDN, as well as consulting for early-stage startups in the container and MLOps spaces. You can reach Alice at [email protected].
The code audit is intended to discover vulnerabilities in these systems to redress, but will also look to identify classes of vulnerabilities and/or suboptimal coding practices that we can look for across the project and incorporate learnings from into our Committer training and onboarding.
The FreeBSD Foundation has appointed a code audit firm, Synacktiv, who began the audit at the start of June.
Audit start date: 2024-06-01
Audit end date: 2024-06-24
Code version: Branch = FreeBSD main (development) branch on 2024-06-05,
Commit = 56b822a17cde5940909633c50623d463191a7852
The code audit is finished. A significant number of vulnerabilities have been found across a number of attack surfaces, some of which might result in VM escape. Some patterns in the code security gaps are already observable and will be addressed as classes of vulnerabilities in our updated committer training and onboarding.
Audit start date: 2024-07-01
Audit end date: 2024-07-31
Code version: Branch = FreeBSD main (development) branch on 2024-06-05,
Commit = 56b822a17cde5940909633c50623d463191a7852
The code audit has started recently. We do not yet have any results.
The process audit is in the initiation phase.
The MFA pilot is in the initiation phase. No updates from last month’s report.