About this audit
This is the read-only viewer for the DragonFlyBSD Kernel Audit โ an
adversarial, file-by-file security review of the DragonFlyBSD kernel source tree
(sys/, ~2,809 C files). Every issue below was found by reading the
kernel source, then โ wherever a proof-of-concept exists โ verified against a live
DragonFlyBSD guest rather than trusted on theory alone.
What you're looking at
- Dashboard โ the landing page. The top shows the severity breakdown and audit progress per area; below it is the full findings browser, grouped into Confirmed โ reproduced, Tested โ not reproduced, and Unverified, with full-text search and severity/area filters.
- Finding pages โ one page per issue. Each carries the structured metadata (severity, CVSS, CWE, file:line), the full writeup (root cause, threat model, impact, suggested fix), and โ when a PoC was run โ the verification summary in the sidebar plus the embedded evidence: the reproducible evidence pack (build/run scripts, logs, panic signatures, exploit source), confirmed kernel references, the exploit chain, and the runner's verdict.
- Source viewer โ every cited
sys/file is embedded with line numbers, so eachpath:linereference in a writeup or verdict links straight to the exact line of kernel code under discussion.
Methodology & process
The audit runs as a pipeline of cooperating stages:
- Triage & queue. Files under
sys/are prioritised by attacker reach โkern(syscalls, IPC, caps, exec) first, then the network stacks, filesystems, VM, crypto, drivers, and shared libs โ breaking ties by lines-of-code. - Deep review. Each file gets a fresh, paranoid pass: control flow,
length arithmetic,
copyin/uiomovebounds, refcounts and locking, privilege checks, info leaks, and parser logic. Candidate defects are filed with a root-cause walk, a threat model, and a concrete patch. - PoC verification. For each finding with a trigger, a runner builds the proof-of-concept on a real DragonFlyBSD kernel under QEMU/KVM and runs it. It reproduces or refutes honestly: a reproduced bug is stress-tested and pushed toward a real exploit (slab grooming โ victim overwrite โ privilege gain); a refuted one is traced line-by-line and classified as false-positive, already-fixed, unreachable, or missing setup. The full untrimmed evidence is retained in the evidence pack.
- One source of truth. A SQLite database (
audit/audit.db) holds the structured index; the per-finding markdown and evidence packs hold the detail. This viewer renders both together.
Vulnerability classes & severity
Memory-safety bugs are weighted highest (overflows, OOB, use-after-free, double-free, type confusion, uninitialised reads, integer issues), followed by refcount/lifetime races and locking errors, missing or wrong privilege checks, kernel info leaks, attacker-controlled parsing (mbuf chains, socket options, ioctls, filesystem images), protocol/logic errors, and crypto correctness. Each finding carries a CVSS 3.1 vector and a severity:
- Critical โ unauthenticated remote code execution, or reliable local unprivileged โ root.
- High โ privilege escalation, kernel memory corruption, or remote DoS/leak on a default configuration.
- Medium โ local DoS or a limited info leak, or one needing an unusual configuration or privilege.
- Low โ narrow trigger, low impact, or one requiring specific hardware or an already-privileged user.
- Info โ a hardening opportunity with no demonstrated impact.
Disclosure
This work is defensive. Findings are reported upstream under coordinated disclosure and remain private until the project ships a fix or the 90-day embargo lapses; proof-of-concept code is kept out of any public push until then. This viewer contains pre-disclosure vulnerability details and exploit material, and is intended only for the audit contributors and the DragonFlyBSD maintainers.