[Kde-pim] KDE-PIM Security R&D

Derek Ditch derek.ditch at gmail.com
Thu Jan 24 18:22:45 GMT 2008 

I subscribed to this list after most of the replies had already been
posted, so the threading may be off.  Anyway, Akonadi and KDE-PIM in
general has a lot of support from my classmates.  The only area where
the case for choosing any KDE-PIM code as our project is weak, is if
we'll actually be able to do any good.  Since much of the code is
pretty new, particularly Akonadi, it's difficult to figure out the
potential for vulnerabilities or security enhancements would be.

Another project we're looking at is Pidgin and libpurple.  Its
developers indicated that a known issue they have is that passwords
are apparently stored in plaintext.  So the class members that choose
to take this up will likely add code to integrate password managment
into KDE Wallet, Gnome Keyring, OS X Keychain, etc.  Is there anything
along those lines that would be a good place to start looking for
vulnerabilities or enhancing code that could make the system more
secure?  I won't limit it to Akonadi, but would like to stay within
KDE-PIM.

Btw, I scanned the Akonadi code base with flawfinder and it only found
38 hits out of the 54,000 lines of code.  However, flawfinder is
geared more towards C api calls like memcpy, strcat, etc.  A couple of
us are also looking into kdepimlibs, which I assume is where much of
the agents for Akonadi do their protocol parsing and such.  I would
think that malformed protocols and RSS feeds would be a good place to
check, but any suggestions anyone could make would be great.

thanks,

Derek

On Jan 23, 2008 3:24 AM, Markus Feilner <mfeilner at linuxnewmedia.de> wrote:
> On Tuesday 22 January 2008 07:34:59 Derek Ditch wrote:
> > Greetings KDE-PIM developers,
> >
>
>
> Hello Derek,
> I am no developer, but an editor at the german Linux Magazine, and we would
> like to publish a short article on your works, if there are any results.
> Can you keep me updated on your progress?
> Thanks a lot!
>
>
>
> > I am a senior computer science student at Missouri University of
> > Science & Technology (MST)[http://www.cs.mst.edu].  I'm a member of a
> > pilot class called Cyber Security Research & Development.  In this
> > class, we are to choose an open source project, perform a security
> > analysis on it, fix what we can and give it all back to the community.
> >  I suggested KDE4 as a possible project.  Obviously KDE4 is a large
> > set of code, so we narrowed it down to KDE-PIM.  Specifically I think
> > we may look at Akonadi.  I'm the advocate, so I'm gathering
> > information.
> >
> > My question is if you feel Akonadi is a good candidate for this class.
> >  Some of the specifications are the impact of security (how
> > widespread/how critical), scope of the project (lines of code, release
> > cycle) and potential for vulnerabilities (or the amount of impact we
> > could have on the project).
> >
> > Also, of course, a very important factor is willingness of the
> > community to use our fixes.
> > I've worked with several small KDE projects in the past, and the last
> > item has never been a problem.  I've found KDE teams to be very open
> > to outside help.  Last semester my team did a bit of work on ViewVC
> > and the project members didn't seem to be too interested in our work.
> >
> > So do you think Akonadi is a good pick, or could you suggest something
> > that be more applicable given the guidelines above?
> >
> > Thanks for your response,
> >
> > Derek
> > _______________________________________________
> > KDE PIM mailing list kde-pim at kde.org
> > https://mail.kde.org/mailman/listinfo/kde-pim
> > KDE PIM home page at http://pim.kde.org/
>
>
>
>
> Mit freundlichen Grüßen - Best Regards,
>
> Markus Feilner
>
> --
> Linux New Media AG, Süskindstr. 4, 81929 München, Germany
> Phone: +49 89 9934 1122, Fax: +49 89 9934 1199
> mfeilner at linuxnewmedia.de - http://www.linuxnewmedia.de
>
> Linux New Media - The Pulse of Linux
> Lawrence - Malaga - Manchester -
> München -  Sao Paulo - Timisoara - Warszawa
>
> ---------------------------------------------------
> Sitz der Gesellschaft: Süskindstraße 4, 81929 München
> Amtsgericht München: HRB 129161
> Vorstand: Rosemarie Schuster, Hermann Plank
> Aufsichtsratsvorsitzender: Rudolf Strobl
>
_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/

More information about the kde-pim mailing list