​CII takes steps to make open-source software safer

The Linux Foundation's Core Infrastructure Initiative is taking on three new major open-source security projects and Linux security expert Emily Ratliff has been hired to oversee CII.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
Open-source software may be safer in general than proprietary software, but in specific it can fail just as badly. Heartbleed, Freak, and Logjam to name just three major OpenSSL security problems, have all shown that. To stop these problems before they appear, the Linux Foundation's Core Infrastructure Initiative (CII) has funded three new security projects with just under half-a-million dollars, including a new open-source automated testing project; the Reproducible Builds initiative; and IT security researcher Hanno Böck's Fuzzing Project. In addition, The Linux Foundation announced that Emily Ratliff, a Linux, system and cloud security expert with more than 20 years experience at AMD and IBM, will oversee CII as its senior director of infrastructure security.

Reproducible Builds: The goal of Reproducible Builds is to enable anyone to reproduce, bit by bit, identical binary programs from its source code. This will enable developers to independently verify that a binary actually comes from its source code.

Today, that's very difficult. Usually compiler output differs from one version to another. Thus, even when a programmer reproduces the original build environment as closely as possible, trivial differences such as the date and time or ordering of files can produce different binaries. This project's aim is to make it easy to record and restore specific build environments and making the compilation processes fully deterministic. This will be done by removing or normalizing variations.

Debian developers Holger Levsen and Jérémy Bobbio are steering this major effort to eliminate unneeded variations from the build processes of thousands of free-software projects. They are also creating tools to understand the source of these differences and update the infrastructure to allow developers to independently verify the authenticity of binary distributions.

Ensuring that no flaws are introduced during the build process will greatly improve software security and control. This work has already made significant progress in Debian, and they are making their tools available for Fedora, Ubuntu, OpenWrt and other Linux distributions.

The Fuzzing Project: Fuzzing is a software testing technique. It is a Black Box software testing, which injects automatically semi-random data into a program to detect bugs.

Security researcher Hanno Böck spearheads the Fuzzing Project which coordinates open-source software fuzzing projects. The Fuzzing Project has already found many vulnerabilities in well-known programs such as GnuPG and OpenSSL bugs. The project's immediate goal is to improve and document fuzzing tools.

False Positive Free Testing: Pascal Cuoq, chief scientist and co-founder of TrustInSoft, will receive a grant to build an open source TIS Interpreter. This program will be built from TIS Analyzer, a commercial software analysis tool based on Frama C. Frama C is a debugger that works by interpreting C programs statement by statement from beginning to end. It verifies with each statement whether the tested program can invoke undefined behavior.

Historically, TIS Analyzer and other programs that use Frama C can produce false positives. With this new program the goal is to develop a methodology that detects bugs without false positives. Thus, any bug that is reported will be a real bug.

American Fuzzy Lop fuzzer will be used to automatically generate new test cases for OpenSSL from which the TIS interpreter can detect bugs. The opens-source version of TIS interpreter is expected to be released in early 2016. This version will target OpenSSL. If successful, TIS Interpreter will be extended to other open-source programs.

"While each project we're announcing funding for today is quite different, each is critical to our global computing infrastructure and cyber-security. These new grants, combined with the stellar addition of Emily, mean CII is well positioned to address critical infrastructure vulnerabilities in the months and years ahead," said Jim Zemlin, The Linux Foundation's Executive Director in a statement. He concluded. "Emily's extensive Linux security experience and standards involvement will be a major asset to CII's work as we move beyond point fixes toward more holistic solutions for open-source security."

The CII was founded in 2014 to fortify key open source-project security. CII accepts grant applications with priority given to underfunded open-source projects that support the largest amount of infrastructure. A steering committee meets quarterly to review security proposals. To submit a grant application or ask for more information, go to the CII site.

Related Stories:

Editorial standards