Core Infrastructure Initiative kickstarts OpenSSL audit

Cryptography Services, a team of consultants from several security research firms, have announced that they have been tasked with auditing OpenSSL, the popular and widely used open-source implementation of the SSL and TLS protocols.

The audit has been initiated by Linux Foundation’s Core Infrastructure Initiative (CII) and will be organized by the Open Crypto Audit Project, which is currently also working on the security audit of TrueCrypt.

“OpenSSL has been reviewed and improved by the Academic community, commercial static analyzer companies, validation organizations, and individual review over the years – but this audit may be the largest effort to review it, and is definitely the most public. Serious flaws in OpenSSL cause the whole Internet to upgrade, and in the case of flaws like Heartbleed and EarlyCCS, upgrade in a rush,” they noted.

“The audit’s primary focus is on the TLS stacks, covering protocol flow, state transitions, and memory management. We’ll also be looking at the BIOs, most of the high-profile cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers. While the audit won’t cover every single corner of the codebase, we believe it will be a useful component of the broader efforts being undertaken to improve OpenSSL’s engineering and security.”

Giving the scope of the audit, preliminary results are expected by early summer.

The Core Infrastructure Initiative is backed and financed by many Internet, software and hardware firms, including Google, Adobe, Cisco, Facebook, Intel, and others, and its goal is to funnel funding to open source projects that are in the critical path for core computing functions.

“The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance,” the CII has noted. “As we witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced. For instance, the OpenSSL project has in past years received about $2,000 per year in donations.”

The Initiative’s Steering Committee has decided that the first round of funding will go to the OpenSSL project, the OpenBSD Project (for OpenSSH), and to David L. Mills of the University of Delaware, the original developer of the Network Time Protocol who still oversees its development.

CORRECTION: David L. Mills, the original developer of the Network Time Protocol, is retired. Project Manager Harlan Stenn, and Poul-Henning Kamp are tasked with the development and maintenance of NTP.