Tooling is expensive. Building tools that open source projects can rely on is very expensive. But tooling scales and investments in tooling pay off in improved security and verifiability in multiple projects.
Tooling enables participation. CII will advance tooling through a mixture of grants and organic projects. The good new is that there are great tools already available to open source projects! For example:
- github already provides great project and issues hosting
- scan.coverity.com allows two free scans per project per week
- Travis CI and Circle CI already provide free per-commit continuous integration platforms
The Core Infrastructure Tooling Project is focused on the following types of approaches to improving security of open source projects:
- Auditing (for example, the OpenSSL audit project)
- Test Suites
- Reproducible builds
- Frama-C false positive free scans
- Fuzzing
Auditing
The OpenSSL audit is underway. Auditing is the gold standard for the Core Infrastructure Initiative because open source projects often do not have the resources to audit themselves. Auditing finds critical bugs that may not be found any other way, however, auditing is very expensive, time consuming, and, of course, only finds a subset of the bugs, so it can’t be the only tool in the toolbelt.
Test Suites
Positive and negative test suites provide long term dividends. Projects like Frankencert provide inspiration for this aspect of the Tooling project. This is an area of the Core Infrastructure Initiative that is just now getting underway. More information is coming soon!
Reproducible Builds
Lack of reproducible builds means that the compromise of a single build server could have a devastating impact because it becomes impossible to independently verify that the binaries have not been tampered. Binary reproducibility should become an expected attribute of free source software distributions. CII has provided a grant to Holger Levsen and Jeremy Bobbio to help advance their work with the Debian project and address this issue. Read more about the grant.
Frama-C False-Positive-Free Checking
Frama-C is a highly respected static checker. When used with test cases and modified Unix standard functions, it is able to detect bugs without false positives.
Fuzzing
Hanno Böck’s Fuzzing Project uses zzuf, Address Sanitizer and american fuzzy lop to find bugs in open source projects. The project’s main goals are to convert fuzzer output into reproducible test cases and to train new developers to become expert fuzzers. CII has provided a grant to Hanno Böck to help accelerate this work. Read more about the grant.
