Experiences Enhancing Open Source Security in the POSSE Project
Jonathan M. Smith (University of Pennsylvania, USA), Michael B. Greenwald (University of Pennsylvania, USA), Sotiris Ioannidis (University of Pennsylvania, USA), Angelos D. Keromytis (Columbia University, USA), Ben Laurie (AL Digital, Ltd., USA), Douglas Maughan (Defense Advanced Research Projects Agency, USA), Dale Rahn (University of Pennsylvania, USA) and Jason Wright (University of Pennsylvania, USA)
Copyright: © 2005
This chapter reports on our experiences with POSSE, a project studying “Portable Open Source Security Elements” as part of the larger DARPA effort on Composable High Assurance Trusted Systems. We describe the organization created to manage POSSE and the significant acceleration in producing widely used secure software that has resulted. POSSE’s two main goals were, first, to increase security in open source systems and, second, to more broadly disseminate security knowledge, “best practices,” and working code that reflects these practices. POSSE achieved these goals through careful study of systems (“audit”) and starting from a well-positioned technology base (OpenBSD). We hope to illustrate the advantages of applying OpenBSD-style methodology to secure, open-source projects, and the pitfalls of melding multiple open-source efforts in a single project.