Open source security projects get $452,000 from the Linux Foundation

The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced financial support of nearly $500,000 for three new projects to better support critical security elements of today’s global information infrastructure.

Established in 2014 in response to the Heartbleed vulnerability, more than 20 companies founded CII to fortify the security of key open source projects.

The CII provides funding for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The multi-million dollar project is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware.

New CII grants and projects

Reproducible Builds – For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by unknown attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.

Compiler output usually differs from one version to another. Even when reproducing the original build environment as closely as possible, specific information about the process such as date and time or ordering of files can introduce hard-to-understand variations in the build results. Enabling easy ways to record and restore a given build environment and making the compilation processes fully deterministic by removing or normalizing variations allows anyone to verify for themselves that the file they received was exactly what the developers intended.

Debian developers Holger Levsen and Jérémy Bobbio are steering a large-scale effort to eliminate unneeded variations from the build processes of thousands of free software projects, as well as provide tools to understand the source of these differences and update the infrastructure to allow developers to independently verify the authenticity of binary distributions.

Ensuring that no flaws are introduced during the build process greatly improves software security and control. This work has already made significant progress in Debian, and they are making their tools available for Fedora, Ubuntu, OpenWrt and other distributions as well. CII’s $200,000 grant will allow Levsen and Bobbio to meaningfully advance their Debian work and collaborate more closely with other distributions.

The Fuzzing Project – The fuzzing software testing technique is a powerful mechanism to identify security problems in software or computer systems. Security researcher Hanno Böck spearheads The Fuzzing Project, coordinating fuzzing efforts for open source software. Many vulnerabilities in well-known software, including several GnuPG and OpenSSL bugs reported lately, were found by Böck’s effort. He will receive $60,000 from CII to continue his work finding and reporting fuzzer-related issues in open source software. He works on improving and documenting the tools and methods to automatically find large quantities of bugs in software.

False-Positive-Free Testing – Pascal Cuoq, chief scientist and co-founder of TrustInSoft, a company that uses the Frama-C platform to guarantee software has no flaws, will receive a grant to build an open source TIS Interpreter, including all the extensions necessary to support the false-positive-free operation on OpenSSL. This work is based on TIS Analyzer, a commercial software analysis tool based on Frama-C, the extensible open-source framework for source code analysis. One issue impairing TIS Analyzer’s widespread adoption is that it occasionally produces false positives: it can report security errors that are actually false alarms.

Cuoq’s new project supports a new flavor of TIS Analyzer named “TIS Interpreter” and a methodology that detects bugs with no false positives. Thus, any bug that is reported actually needs to be fixed. American Fuzzy Lop fuzzer will be used to automatically generate new test cases for OpenSSL from which TIS interpreter can detect bugs.

TIS Interpreter, expected to be released as open source software in early 2016, will use existing test cases to detect bugs with no false positives, which saves developers’ time. CII is investing $192,000 in this work, which combines existing technologies to test this new technique on OpenSSL, so that, if successful, it can be extended to other open source software to help developers better identify potential bugs and improve security.