Project

General

Profile

Bug #14508

Get critical parts of Tails audited

Added by jvoisin 4 months ago. Updated 11 days ago.

Status:
Confirmed
Priority:
Low
Assignee:
Category:
-
Target version:
Start date:
08/30/2017
Due date:
% Done:

0%

QA Check:
Feature Branch:
Type of work:
Security Audit
Blueprint:
Starter:
Affected tool:

Description

It would be nice to have to following parts or Tails audited:

  • Audit whatever upgrade mechanism we replace the current Tails Upgrader with in the "Rethink upgrade/installation" effort (possible in ~2 years probably).
    - Audit the current implementation of Tails Upgrader. (Low prio since it will be obsoleted by the above point. ~1 kLoC of perl (but big parts are irrelevant since it is about generating IUKs.)
  • Audit Tails Security Check (config/chroot_local-includes/usr/local/bin/tails-security-check, ~200 LoC.)
  • Torification escapes for the Live user and other critical users
  • Persistence
    - Arbitrary persistence by the Live user
    - Permissions of the device and data of the persistent device (Audit should be less than a day)
  • Audit anonym's Thunderbird auto-config patches (Javascript, 9 files changed, 254 insertions(+), 99 deletions(-).)

History

#1 Updated by jvoisin 4 months ago

I'm forwarding this to an interested company that might want to do it for free, as form of a donation.

#2 Updated by mercedes508 4 months ago

  • Status changed from New to Confirmed

#3 Updated by BitingBird 4 months ago

  • Target version set to 2018

#4 Updated by intrigeri 4 months ago

- Permissions of the device and data of the persistent device (Audit should be less than a day)

#7465 seems relevant here.

#5 Updated by ikki 11 days ago

jvoisin wrote:

I'm forwarding this to an interested company that might want to do it for free, as form of a donation.

If that didn't happen, we (@Doyensec) would be also happy to provide testing services at a discounted rate for OSS projects, no-profit, etc. - in case

Also available in: Atom PDF