FreeBSD is undertaking one main project -- a code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework) -- and two minor ones (an MFA pilot and an initial process audit).
The code audit is intended to discover vulnerabilities in these systems to redress, but will also look to identify classes of vulnerabilities and/or suboptimal coding practices that we can look for across the project and incorporate learnings from into our Committer training and onboarding.
We finalized the contract with the selected code audit firm, and based on their availability the engagement will begin in June.
In advance of the audit FreeBSD Foundation team members have been reviewing Coverity Scan's static analysis reports for the associated FreeBSD components. At the time of writing, of 65 issues reported by Coverity that affect bhyve components:
- 3 have been and considered by Coverity as fixed (5%)
- 2 are accepted and pending review from Coverity (3%)
- 12 can be ignored (e.g. false positive or invalid) (18%)
- 2 were marked as triaged previously (3%)
- 1 is believed correct but does not have a trivial fix (2%)
- 45 are pending review (69%)
One minor project is an initial investigation of Multi-Factor Authentication (MFA) in the FreeBSD development ecosystem. To begin this process we have purchased a small number of Google Titan Security Keys which will be distributed to suitable members of the FreeBSD community at the BSDCan conference in June.
The USB ID for the Titan Security Key was not present in the u2f-devd package, which provides devd rules to set appropriate permissions and ownership for U2F devices. This has been addressed with commit security/u2f-devd: add USB IDs for newer Google Titan security keys.
We've also discovered a minor bug in Firefox on FreeBSD relating to the use of PINs with security keys. The error message for an incorrect PIN is "Incorrect PIN. You have {$retriesLeft} attempts left before you permanently lose access to the credentials on this device." It is not yet clear if this is an issue with the FreeBSD port or a general bug in Firefox; we will check on another OS and submit a bug as appropriate.