Hello Andreea,

Sorry for missing the community meeting! I would have loved to have been there yesterday!

I apologize for the slow response on this. We had to sync with our partners (also amazon, funny enough) on if there's specific components in rustvmm that they're interested in reviewing. We have some clarity now and the work can focus on anything that rustvmm needs. Would it be more productive if we directly connected our security team with you? They could make an initial assessment of where they would like to help, build any of your community/ies input into a final project that they would then conduct.

Ultimately we are here to help in whatever ways that you need. This includes anything from making custom rules for security tooling that you already use, building out new fuzzers for better coverage or better performance, and manual review of any components that we identify as risky or brittle. We are more than happy to help with whatever you need.

Let me know your thoughts!

Derek Zimmer
Executive Director
Open Source Technology Improvement Fund
Schedule a meeting with me anytime: https://calendly.com/derek-ostif


On Thu, May 4, 2023 at 4:33 AM Florescu, Andreea <fandree@amazon.com> wrote:

Hey Derek,


We have a rust-vmm sync meeting every 2 weeks on Monday at 5 PM CET. The next one is on 15th of May. If that fits your schedule, it would be great to chat during that meeting. Otherwise, we can set up a meeting at another time.


I can give you pointers for the security related testing that we already have in some of the rust-vmm crates. The project ownership is distributed, so you will need to get in contact with multiple folks as there is not a single person that knows the insides of every rust-vmm component. I can also help you with pointers for people that you can chat with.


Thanks,

Andreea

From: Derek Zimmer <derek@ostif.org>
Sent: Wednesday, May 3, 2023 7:08:37 PM
To: rust-vmm@lists.opendev.org
Subject: [EXTERNAL] [Rust-VMM] Hello from OSTIF! We are interested in doing a free security review of Rust VMM.
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

Hello everyone,

Firstly, if i'm reaching out through the improper channel I apologize. I didn't want to spam security channels or file a github issue to reach out. Please forward this to the appropriate channel if you can!

I'm Derek, founder of https://ostif.org and I'd like to discuss collaborating with the Rust VMM community on doing a security review of the project. This is entirely without cost, and we will work with you as much or as little as members would like to participate. We have a long history of collaborating with projects to help them with security and I'm happy to give you references if needed.

We'd like to look at your testing regimen, do some manual code review, and do some supply chain analysis and then make recommendations based on our findings. We can also help with fixes if they are complex, or to build out some security tools to be more useful (rule sets for static analysis tools, expanding fuzzing code coverage, improving fuzzer performance, etc.)

We have a deep network of experts from many fields, and we can shape this security review to focus on whatever Rust VMM needs. After all, you know more about what your project needs than we do.

I'm excited about Rust VMM in particular because I'm really passionate about Rust and getting away from error-prone languages. We're currently working on wasmCloud and wasmTime as well, and building a proposal to improve ossfuzz for all Rust projects directly with Google.

To move this forward, I'd like to talk with the lead contributor/s about how we can help, and how we can best work together.

If you have any questions, feel free to email me directly. I'm happy to help in any way that I can!

All the best,

Derek Zimmer
Executive Director
Open Source Technology Improvement Fund
Schedule a meeting with me anytime: https://calendly.com/derek-ostif