FreeBSD is undertaking one main project and two minor ones:
Major: A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework).
Minor: An initial Process Audit and an MFA pilot.
The code audit is complete and the FreeBSD Project is now addressing newly-discovered vulnerabilities. The FreeBSD Foundation will release the full code audit report when directed by the FreeBSD Security Team after the reported issues have been addressed. The FreeBSD Foundation will work with the FreeBSD Project to identify classes of vulnerabilities where possible, and to create documentation, training, or education, and update processes and policies as needed to reduce current and future vulnerabilities.
The Process Audit and the MFA pilot are in planning phase and the objectives and deliverables can been seen below. These are due to start in October and September 2024 respectively.
The code audit was intended to discover vulnerabilities in these systems to redress, but also looked to identify classes of vulnerabilities and/or suboptimal coding practices that we can look for across the project and incorporate learnings from into our Committer training and onboarding.
The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf.
The code audit firm, Synacktiv, has completed the code audit of bhyve and Capsicum on time. They have provided us with a report that contains useful insights into areas for improvement. The FreeBSD Project will address newly-discovered vulnerabilities according to its existing Security Processes and vulnerability reporting procedure.
Audit start date: 2024-06-01
Audit end date: 2024-06-24
Code version: Branch = FreeBSD main (development) branch on 2024-06-05,
Commit = 56b822a17cde5940909633c50623d463191a7852
The code audit is finished. A significant number of vulnerabilities have been found across a number of attack surfaces, some of which might result in VM escape. Some patterns in the code security gaps are already observable and will be addressed as classes of vulnerabilities in our updated committer training and onboarding.
Audit start date: 2024-07-01
Audit end date: 2024-07-31
Code version: Branch = FreeBSD main (development) branch on 2024-06-05,
Commit = 56b822a17cde5940909633c50623d463191a7852
The code audit is finished. A small number of vulnerabilities were discovered, however, the code base is much larger than for bhyve and so the audit was not as comprehensive. The FreeBSD Project will address these vulnerabilities and will make changes to development practices as needed to reduce incidence of similar future vulnerabilities.
The process audit is in the planning phase and will commence in October.
Objectives
- Get a picture of the current processes. Compare these to industry security standards (e.g. SSDF, CRA).
- Identify areas of risk, and rank these from highest to lowest.
- Report the findings in a format that supports the community to resolve the gaps discovered and easier to obtain funding for the required work.
Deliverables
- Assessment of security practices across the development community, tooling, protocols, and processes.
- List of prioritized areas to improve in order to support security attestations in 2024/5.
- List of identified additional partnership opportunities with Alpha-Omega to target high-impact processes and protocols for improvement.
The MFA pilot is in the planning phase and will commence in September.
Objectives
- Identify best route to achieve target MFA coverage for the project’s committers.
- Test functionality of hardware keys on a dev stack based on FreeBSD.
- Understand the user experience of FreeBSD committers using hardware sec keys (and possibly app-based TOTP).
Deliverables
- Assessment of available routes to target MFA coverage for the project’s committers. To consider functionality, user experience, and feasibility.
- Illustrative roadmap to reaching target MFA coverage for the project’s committers.
- Proposal for a funded project to implement phases of the roadmap, potentially covering currently planned work on infrastructure modernization and SSO implementation.
The FreeBSD Security Team oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments.
The FreeBSD vulnerability reporting and disclosure policy provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community.