open_issues/security: New.

1 files changed, 34 insertions, 0 deletions

diff --git a/open_issues/security.mdwn b/open_issues/security.mdwn
new file mode 100644
index 00000000..055c8bdc
--- /dev/null
+++ b/open_issues/security.mdwn
@@ -0,0 +1,34 @@
+[[!meta copyright="Copyright © 2010 Free Software Foundation, Inc."]]
+
+[[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
+id="license" text="Permission is granted to copy, distribute and/or modify this
+document under the terms of the GNU Free Documentation License, Version 1.2 or
+any later version published by the Free Software Foundation; with no Invariant
+Sections, no Front-Cover Texts, and no Back-Cover Texts.  A copy of the license
+is included in the section entitled [[GNU Free Documentation
+License|/fdl]]."]]"""]]
+
+There are [[several aspects to security|/security]] that are (mainly) relevant
+to the design space.
+
+There are also security issues in the implemenation space, for example using
+the correct coding paradigms.
+
+Large parts of our code base have not beed audited, either manually or in an
+automated fashion.
+
+[[Unit testing]] is one aspect: testing for reliably failing for invalid input.
+
+[[Code analysis]] is another aspect.
+
+All publically usable interfaces provide attacking targets.  This includes all
+[[system call]]s and [[RPC]] interfaces.
+
+Fuzzing techniques can be use for locating possible issues.
+
+  * <http://lwn.net/Articles/414273/>
+
+  * Has already been used in the 70s / 80s (?) for testing [[UNIX]] command
+    line tools.
+
+  * <http://www.ece.cmu.edu/~koopman/ballista/>