[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC] QEMU Code Audit Team
|
From: |
Chris Wright |
|
Subject: |
Re: [Qemu-devel] [RFC] QEMU Code Audit Team |
|
Date: |
Fri, 6 Jan 2012 09:37:27 -0800 |
|
User-agent: |
Mutt/1.5.20 (2009-08-17) |
* Anthony Liguori (address@hidden) wrote:
> 2) Two people walk through a particular piece of code and
> independently flag anything that looks like a potential security
> issue.
Auditing is always helpful, but won't ever get full coverage. qtest +
fuzz is another great way to identify problems. Also improving any
anotations to help static analysis tools is useful. And both of those
are development efforts rather than code review. Trouble with code
review is that security bugs can be subtle and easy to miss.
> I'd want to focus initially on the common PC devices. The list
> isn't all that large and a review like this should only take a few
> hours to complete each step.
I definitely agree on the initial scope.
thanks,
-chris
- [Qemu-devel] [RFC] QEMU Code Audit Team, Anthony Liguori, 2012/01/06
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team,
Chris Wright <=
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Andreas Färber, 2012/01/06
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Anthony Liguori, 2012/01/06
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Peter Maydell, 2012/01/06
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Stefan Hajnoczi, 2012/01/07
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Kevin Wolf, 2012/01/11
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Anthony Liguori, 2012/01/10
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Kevin Wolf, 2012/01/11
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Andreas Färber, 2012/01/10
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Peter Maydell, 2012/01/10
- Re: [Qemu-devel] [RFC] QEMU Code Audit Team, Andreas Färber, 2012/01/10