Project

General

Profile

Bug #14508

Get critical parts of Tails audited

Added by jvoisin about 2 months ago. Updated about 2 months ago.

Status:
Confirmed
Priority:
Low
Assignee:
Category:
-
Target version:
Start date:
08/30/2017
Due date:
% Done:

0%

QA Check:
Feature Branch:
Type of work:
Security Audit
Blueprint:
Easy:
Affected tool:

Description

It would be nice to have to following parts or Tails audited:

  • Audit whatever upgrade mechanism we replace the current Tails Upgrader with in the "Rethink upgrade/installation" effort (possible in ~2 years probably).
    - Audit the current implementation of Tails Upgrader. (Low prio since it will be obsoleted by the above point. ~1 kLoC of perl (but big parts are irrelevant since it is about generating IUKs.)
  • Audit Tails Security Check (config/chroot_local-includes/usr/local/bin/tails-security-check, ~200 LoC.)
  • Torification escapes for the Live user and other critical users
  • Persistence
    - Arbitrary persistence by the Live user
    - Permissions of the device and data of the persistent device (Audit should be less than a day)
  • Audit anonym's Thunderbird auto-config patches (Javascript, 9 files changed, 254 insertions(+), 99 deletions(-).)

History

#1 Updated by jvoisin about 2 months ago

I'm forwarding this to an interested company that might want to do it for free, as form of a donation.

#2 Updated by mercedes508 about 2 months ago

  • Status changed from New to Confirmed

#3 Updated by BitingBird about 2 months ago

  • Target version set to 2018

#4 Updated by intrigeri about 2 months ago

- Permissions of the device and data of the persistent device (Audit should be less than a day)

#7465 seems relevant here.

Also available in: Atom PDF