The Core Infrastructure Initiative (CII) and its members have come together to invest in core infrastructure, providing funding for fundamental projects like OpenSSL, OpenSSH, NTPd and others. These impact of these grants was felt immediately, with projects being able to add team members, improve coding best practices, set up predictable release schedules and roadmaps and perform audits to help future proof code. Under the guidance of the Advisory Board, CII is actively researching and identifying new projects that need support and working with established projects to ensure best practices are being followed to help create a culture of secure coding practices. he following is a list of projects that have received grants from CII since its inception. For more information, please contact us. To submit a grant proposal, apply online using the CII grants management solution.

  • False-Positive-Free Testing with Frama-C

    Frama-C is an extensible framework for source code analysis. Pascal Cuoq, co-initiator of the Frama-C project and chief scientist and co-founder of TrustInSoft, a company that uses the Frama-C platform to guarantee software has no flaws, will receive a grant to build an open source TIS Interpreter, including all the extensions necessary to support the false-positive-free operation on OpenSSL. This work is based on TIS Analyzer, a commercial software analysis tool based on Frama-C, the extensible open-source framework for source code analysis. One issue impairing TIS Analyzer's widespread adoption is that it occasionally produces false positives: it can report security errors that are actually false alarms.

    Cuoq's new project supports a new flavor of TIS Analyzer named “TIS Interpreter” and a methodology that detects bugs with no false positives. Thus, any bug that is reported actually needs to be fixed. American Fuzzy Lop fuzzer will be used to automatically generate new test cases for OpenSSL from which TIS interpreter can detect bugs.

    TIS Interpreter, expected to be released as open source software in early 2016, will use existing test cases to detect bugs with no false positives, which saves developers’ time. CII is investing in this work, which combines existing technologies to test this new technique on OpenSSL, so that, if successful, it can be extended to other open source software to help developers better identify potential bugs and improve security.

  • GnuPG

    GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known asPGP). GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).

    Support for one developer is being provided with funding from the Core Infrastructure Initiative.

  • Network Time Protocol daemon (ntpd)

    The Network Time Protocol daemon (ntpd) is an operating system program that maintains the system time in synchronization with time servers using the Network Time Protocol (NTP).

    Two part-time developers have been sponsored via a grant from the Core Infrastructure Initiative.

  • OpenSSH

    OpenSSH is an open source implementation of the SSH protocol that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. Like all software, OpenSSH, has occasionally suffered from avulnerability, and it’s important to continually improve and test the software over time.

    Support for developers and bandwidth is being provided with funding from the Core Infrastructure Initiative.

  • OpenSSL

    The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

    With support from the Core Infrastructure Initiative, two full-time OpenSSL core developers have been sponsored and a complete audit of OpenSSL has been initiated.

  • OWASP Zed Attack Proxy

    The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help developers and functional testers automatically find security vulnerabilities in web applications while there are being developed and tested. It is also a great tool for experienced pentesters to use for manual security testing.

    With support from the Core Infrastructure Initiative, one full-time ZAP core developer has been sponsored who is focusing on ZAP as a Service - an ambitious plan to allow ZAP to also be used as a long running, highly scalable, distributed service accessed by multiple users with different roles.

  • Reproducible Builds

    For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.

    Compiler output usually differs from one version to another. Even when reproducing the original build environment as closely as possible, specific information about the process such as date and time or ordering of files can introduce hard-to-understand variations in the build results. Enabling easy ways to record and restore a given build environment and making the compilation processes fully deterministic by removing or normalizing variations allows anyone to verify for themselves that the file they received was exactly what the developers intended.

    Debian developers Holger Levsen and Jérémy Bobbio are steering a large-scale effort to eliminate unneeded variations from the build processes of thousands of free software projects, as well as provide tools to understand the source of these differences and update the infrastructure to allow developers to independently verify the authenticity of binary distributions.

    Ensuring that no flaws are introduced during the build process greatly improves software security and control. This work has already made significant progress in Debian, and they are making their tools available for Fedora, Ubuntu, OpenWrt and other distributions as well.

    You can read more about the project at the Reproducible Builds website. You can see current statistics on Debian's reproducible build project at Overview of various statistics about reproducible builds.

    CII’s grant will allow Levsen and Bobbio to meaningfully advance their Debian work and collaborate more closely with other distributions.

  • The Fuzzing Project

    The fuzzing software testing technique is an easy and powerful way to identify security problems in software. Security researcher Hanno Böck spearheads The Fuzzing Project, coordinating fuzzing efforts for open source software. The project uses zzuf, Address Sanitizer, and american fuzzy lop to find bugs in open source projects. Many well-known vulnerabilities, including several GnuPG and OpenSSL bugs reported earlier this year, were found by Böck’s efforts.

    The grant from CII will enable Böck to continue his work finding and reporting fuzzer-related issues in open source software.

  • The Linux Kernel Self Protection Project

    The Kernel Self Protection Project's mission is to "eliminate classes of bugs and eliminate methods of exploitation." To achieve this mission, the project will work to incorporate a variety of security features into the mainline Linux kernel.

    The Core Infrastructure Initiative is pleased to support development efforts on this project.