"here is an overview of github.com/rust-vmm:
[...] Not all repos seem security critical. [...]
The biggest repos are bindings for calling the various hypverisors (kvm-bindings, mshv, xen). [...]
[...] From a high level view, we should (at least) include the following repos for review:
vm-virtio, vhost-device, vm-allocator, vm-device, vhost, vmm-sys-util, vm-superio, vm-memory and seccompiler
Trust boundaries: Guest - Host, Guest - Guest, Guest (Ring 3) - Guest (Ring 0), [this last one was not sure yet] Guest - Ring (-1)
A threat model would include information disclosure, memory corruption and DoS over a trust boundary. The team also was discussing to add logical issues to the review."
=================
Hey,
I think it makes sense to have an initial call to discuss about the components in general terms at least, and walk you through what we already did in terms of security.
I will only be in the office until the end of the month, then i will be on a sabbatical for 3 months. Do you mind setting up a call next week so that in case there are any follow-ups needed I can assist you with that?
Andreea
From: Derek Zimmer <derek@ostif.org>
Sent: Tuesday, May 16, 2023 10:59:45 PM
To: Mathieu Poirier
Cc: Florescu, Andreea; rust-vmm@lists.opendev.org
Subject: RE: [EXTERNAL][Rust-VMM] Re: Hello from OSTIF! We are interested in doing a free security review of Rust VMM.
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Mathieu,
Thanks for the info! Completely understood around the multiple communities depending on the crates that we are looking at. I will defer to our security team to have them tell us what is interesting, and I'll report back what we're interested in looking at. I do want to make sure that we are using resources in ways that are helpful so I will report our activity to this mailing list as we reach milestones for feedback if that works for everyone here.
All the best,
Derek Zimmer
Executive Director
Open Source Technology Improvement FundSchedule a meeting with me anytime: https://calendly.com/derek-ostif
On Tue, May 16, 2023 at 3:27 PM Mathieu Poirier <mathieu.poirier@linaro.org> wrote:
On Tue, 16 May 2023 at 13:43, Derek Zimmer <derek@ostif.org> wrote:
Hello Andreea,
Sorry for missing the community meeting! I would have loved to have been there yesterday!
I apologize for the slow response on this. We had to sync with our partners (also amazon, funny enough) on if there's specific components in rustvmm that they're interested in reviewing. We have some clarity now and the work can focus on anything that rustvmm needs. Would it be more productive if we directly connected our security team with you? They could make an initial assessment of where they would like to help, build any of your community/ies input into a final project that they would then conduct.
I think making your own assessment of where your team can help is the best way to proceed. The rust-vmm project is wide in scope and as such would suggest to start with something small and, preferably, simple.
Ultimately we are here to help in whatever ways that you need. This includes anything from making custom rules for security tooling that you already use, building out new fuzzers for better coverage or better performance, and manual review of any components that we identify as risky or brittle. We are more than happy to help with whatever you need.
Due to the distributed nature of the project I am doubtful that you will get a list of the things we need, especially when it comes to something as wide and complex as security. As suggested above, have a look around, focus on something you can improve on and submit code from there. Doing so, have a look at the rust-vmm-ci crate. It gets pulled in by all crates in the project and where our CI efforts stem from.
Let me know your thoughts!
Derek Zimmer
Executive Director
Open Source Technology Improvement FundSchedule a meeting with me anytime: https://calendly.com/derek-ostif
_______________________________________________On Thu, May 4, 2023 at 4:33 AM Florescu, Andreea <fandree@amazon.com> wrote:
Hey Derek,
We have a rust-vmm sync meeting every 2 weeks on Monday at 5 PM CET. The next one is on 15th of May. If that fits your schedule, it would be great to chat during that meeting. Otherwise, we can set up a meeting at another time.
I can give you pointers for the security related testing that we already have in some of the rust-vmm crates. The project ownership is distributed, so you will need to get in contact with multiple folks as there is not a single person that knows the insides of every rust-vmm component. I can also help you with pointers for people that you can chat with.
Thanks,
Andreea
From: Derek Zimmer <derek@ostif.org>
Sent: Wednesday, May 3, 2023 7:08:37 PM
To: rust-vmm@lists.opendev.org
Subject: [EXTERNAL] [Rust-VMM] Hello from OSTIF! We are interested in doing a free security review of Rust VMM.
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Hello everyone,
Firstly, if i'm reaching out through the improper channel I apologize. I didn't want to spam security channels or file a github issue to reach out. Please forward this to the appropriate channel if you can!
I'm Derek, founder of https://ostif.org and I'd like to discuss collaborating with the Rust VMM community on doing a security review of the project. This is entirely without cost, and we will work with you as much or as little as members would like to participate. We have a long history of collaborating with projects to help them with security and I'm happy to give you references if needed.
We'd like to look at your testing regimen, do some manual code review, and do some supply chain analysis and then make recommendations based on our findings. We can also help with fixes if they are complex, or to build out some security tools to be more useful (rule sets for static analysis tools, expanding fuzzing code coverage, improving fuzzer performance, etc.)
We have a deep network of experts from many fields, and we can shape this security review to focus on whatever Rust VMM needs. After all, you know more about what your project needs than we do.
I'm excited about Rust VMM in particular because I'm really passionate about Rust and getting away from error-prone languages. We're currently working on wasmCloud and wasmTime as well, and building a proposal to improve ossfuzz for all Rust projects directly with Google.
To move this forward, I'd like to talk with the lead contributor/s about how we can help, and how we can best work together.
If you have any questions, feel free to email me directly. I'm happy to help in any way that I can!
All the best,
Derek Zimmer
Executive Director
Open Source Technology Improvement FundSchedule a meeting with me anytime: https://calendly.com/derek-ostif
Rust-vmm mailing list -- rust-vmm@lists.opendev.org
To unsubscribe send an email to rust-vmm-leave@lists.opendev.org