The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, announced on Monday that it has committed financial support of nearly $500,000 for three new projects to better support critical security elements of the Internet.
Launched in 2014 as the industry’s response to the Heartbleed crisis, the initiative aims to bring technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions.
With OpenSSL, Network Time Protocol (NTP) and OpenSSH as the first projects to receive support from the initiative, the CII’s latest support will be put toward a new open source automated testing project, the Reproducible Builds initiative from Debian, and IT security researcher Hanno Böck’s Fuzzing Project.
“The CII provides funding for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support,” the Linux Foundation Explained.
Here is an overview of the latest CII Grants and Projects announced by The Linux Foundation:
Reproducible Builds – For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by unknown attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.
Compiler output usually differs from one version to another. Even when reproducing the original build environment as closely as possible, specific information about the process such as date and time or ordering of files can introduce hard-to-understand variations in the build results. Enabling easy ways to record and restore a given build environment and making the compilation processes fully deterministic by removing or normalizing variations allows anyone to verify for themselves that the file they received was exactly what the developers intended.
Debian developers Holger Levsen and Jérémy Bobbio are steering an effort to eliminate unneeded variations from the build processes of thousands of free software projects, as well as provide tools to understand the source of these differences and update the infrastructure to allow developers to independently verify the authenticity of binary distributions.
Ensuring that no flaws are introduced during the build process greatly improves software security and control. This work has already made significant progress in Debian, and they are making their tools available for Fedora, Ubuntu, OpenWrt and other distributions as well. CII’s $200,000 grant will allow Levsen and Bobbio to meaningfully advance their Debian work and collaborate more closely with other distributions.
The Fuzzing Project – The fuzzing software testing technique is a powerful mechanism to identify security problems in software or computer systems. Security researcher Hanno Böck spearheads The Fuzzing Project, coordinating fuzzing efforts for open source software. Many vulnerabilities in well-known software, including several GnuPG and OpenSSL bugs reported lately, were found by Böck’s effort. He will receive $60,000 from CII to continue his work finding and reporting fuzzer-related issues in open source software. He works on improving and documenting the tools and methods to automatically find large quantities of bugs in software.
False-Positive-Free Testing – Pascal Cuoq, chief scientist and co-founder of TrustInSoft, a company that uses the Frama-C platform to detect software flaws, will receive a grant to build an open source TIS Interpreter, including all the extensions necessary to support the false-positive-free operation on OpenSSL. This work is based on TIS Analyzer, a commercial software analysis tool based on Frama-C, the extensible open-source framework for source code analysis. One issue impairing TIS Analyzer’s widespread adoption is that it occasionally produces false positives: it can report security errors that are actually false alarms. Cuoq’s new project supports a new flavor of TIS Analyzer named “TIS Interpreter” and a methodology that detects bugs with no false positives. Thus, any bug that is reported actually needs to be fixed. American Fuzzy Lop fuzzer will be used to automatically generate new test cases for OpenSSL from which TIS interpreter can detect bugs.
TIS Interpreter, expected to be released as open source software in early 2016, will use existing test cases to detect bugs with no false positives, which saves developers’ time. CII is investing $192,000 in this work, which combines existing technologies to test this new technique on OpenSSL, so that, if successful, it can be extended to other open source software to help developers better identify potential bugs and improve security.
In addition to announcing support for the three projects, The Linux Foundation announced that Emily Ratliff is joining The Linux Foundation as senior director of infrastructure security for CII.
Ratliff is a Linux, system and cloud security expert with more than 20 years’ experience, most recently working as a security engineer for AMD and spent nearly 15 years at IBM.
“While each project we’re announcing funding for today is quite different, each is critical to our global computing infrastructure and cybersecurity,” said Jim Zemlin, Executive Director of The Linux Foundation. “These new grants, combined with the stellar addition of Emily, mean CII is well-positioned to address critical infrastructure vulnerabilities in the months and years ahead. Emily’s extensive Linux security experience and standards involvement will be a major asset to CII’s work as we move beyond point-fixes toward more holistic solutions for open source security.”
The multi-million dollar initiative was originally funded by a roster of tech giants, including Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware. The members represent a wide swath of the industry, from cloud hosting and services, hardware, software, storage, Internet services, and networking. Bloomberg, Adobe, Huawei, HP and salesforce.com have also showed support for the initiative.