The Sched app allows you to build your schedule but is not a substitute for your event registration. In addition, you must be registered for Linux Security Summit to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (PDT), UTC-7. Please select from the drop-down menu to the right to see the schedule in your preferred timezone above "Filter by Date."
Back To Schedule
Friday, October 1 • 2:00pm - 2:30pm
(VIRTUAL) CVEHound: Audit Kernel Sources for Missing CVE Fixes - Denis Efremov, Oracle

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
CVEHound is a tool for checking Linux kernel sources for missing CVE fixes. Usual ways to track CVE fixes are vendor security announcements and a git history of a particular kernel tree. However, many vendors provide sources as tarballs without development history and don't publish enough information about security fixes. Hence, it's not possible to check these releases automatically without manually inspecting sources. CVEHound takes into account only C source code during work. Internally, the tool uses semantic patches (coccinelle patterns) to find missing backports of CVE fixes. This allows the tool to be agnostic from the kernel version and detect a missing fix in a half-open interval starting from the first commit where a bug was introduced and ending with the fix/backport patch. Since the tool uses a source-based approach this allows also to detect partial/broken/missing backports of security fixes. The talk is a tool presentation with a corresponding approach that can be interesting to kernel developers for maintaining kernel trees, certification labs for compliance checking, system administrators, and penetration testers for security audits.


Denis Efremov

Developer, Oracle
Worked for 10 years at ISP RAS (Institute for System Programming Russian Academy of Science) as researcher/formal verification engineer. Recently joined Ksplice team at Oracle as a kernel developer.

Friday October 1, 2021 2:00pm - 2:30pm PDT
Room 402 - Chiliwack