Now that its codebase is finally viewed as stable, OpenSSL is getting a good top-to-bottom once-over in the form of a sweeping audit.
It’s been close to a year since the Heartbleed bug sent the Internet into a frenzy over security. It spurred the software industry to rally behind OpenSSL—sending in more developers, revamping the security protocol, and laying out a revised road map for the ailing encryption protocol underlying much of the Web.
As part of the Linux Foundation’s Core Infrastructure Initiative (CII), the foundation and the Open Crypto Audit Project (OCAP) are sponsoring and organizing what may arguably be the highest-profile audit of a piece of open-source software in history. The audit itself will be conducted by the information assurance organization NCC Group, and its security research arm, Cryptography Services, will carry out the code review.
(Related: A year of breaches in 2014 puts security on everyone’s mind)
In the Cryptography Services announcement, the audit team stated it will focus primarily on TLS stacks, covering protocol flow, state transitions and memory management, while also taking a look at BIOs, the most prominent cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers. According to OpenSSL’a Open HUB project page, the implementation currently consists of 447,247 lines of code written in 14 programming languages. Tom Ritter, practice director and principal security consultant for the NCC Group, explained how the audit team meticulously prepared for the task.
“From the first time OCAP posed it to us, we started by sitting down and listing every single thing we could find in OpenSSL,” he said. “There’s so much in there people don’t even realize, like an HTTP server that’s not actually used anywhere on the Internet. We tried to figure out what was most critical, most deployed, most network-facing versus local access-based. We drew lines around all of that—thing to include and exclude, stuff in the middle, to figure out what we’ll try to cover and which parts of the code we can leave out of the scope.”
Cryptography Services has spent the past several months planning out the audit and consulting with OCAP and the OpenSSL team to lay out an initial plan of action for it. The audit will begin in mid-spring, and Ritter said the completion date is tentatively targeted for mid-summer. They’ll likely take a break sometime in the middle of the project, he said, to discuss the state of the audit with the OCAP review board.
Ritter gave a glimpse of what the atmosphere will be like inside the audit room.
“We’re going to be using really large whiteboards, for sure,” he said. “There will be a lot of manual code review and tracing of function calls, along with a lot of automated testing mostly with tools we’ve written ourselves. So we’re going to take a multi-faceted approach, looking at it from both the automated and the manual side.”
The larger security initiative at play
The OpenSSL audit is only one facet of the comprehensive strategy underway by the Linux Foundation, the CII and the OpenSSL team to fix the critical open-source implementation and Web security protocols as a whole. The CII is also funding two full-time OpenSSL developers, and is currently supporting not just OpenSSL but the GnuPG, OpenSSH and NTP open-source tools and protocols as well.
The foundation is also working on a Core Infrastructure Census and security best practices.
“OpenSSL is one of the most important and ubiquitous open-source projects in the world, used in literally billions of servers and devices,” said Jim Zemlin, executive director of the Linux Foundation. “Given the issues raised by Heartbleed and the acknowledgment that the code had not received sufficient attention for years, CII felt that an external audit could help surface additional insight and add confidence in the quality of the code.”
Zemlin explained that the audit is complementary to everything else the CII is doing, and now that OpenSSL has a stable codebase, any issues the audit uncovers could potentially apply not only to OpenSSL itself, but to parallel forks of the SSL/TLS scheme such as OpenBSD’s LibreSSL as well.
“An audit is only one of the areas in which CII is investing,” said Zemlin. “Auditing is expensive and is not guaranteed to find all issues, but is appropriate for the highest-impact projects. CII is working on other infrastructure tools that can be useful for projects of all sizes.”
NCC’s Ritter said CII has been the big backer behind the larger movement, driving the formation of this coalition behind the OpenSSL audit while also supporting its other infrastructure and testing initiatives. OCAP was brought in specifically on the audit side to guide the auditing proposal and review process through the input of its technical advisory board.
“Auditing is important, but if that was the only thing the Core Infrastructure Initiative did, it wouldn’t be nearly as successful,” said Ritter. “There are a lot of components in the software development life cycle, and auditing fits in there along with things like regression testing, interoperability review, testing on different platforms, etc.”
Looking ahead to the task at hand, Ritter said the audit team wants to make an impact beyond just fixing the immediate issues in OpenSSL. Cryptographic Services wants to provide tooling and test cases for larger computational efforts so others can run these experimental tools on a larger scale on new and existing code, as well as other open-source projects or TLS stacks to help secure the broader Internet.
An audit on this scale breeds opportunity for research and experimentation, and Ritter believed the coming changes to OpenSSL have the potential to impact not just Web servers, but also embedded clients, the Internet of Things and other interconnected devices running the protocol. As more and more things connected to the Internet are forced to deal with ever-more sophisticated malware attacks, he said it’s imperative to ensure client security is as strong as it can be.
“People have looked at OpenSSL before and reported bugs, but this is the first real overarching audit on a dedicated timeline to review portions of the codebase and audit it for security vulnerabilities,” said Ritter. “It complements a lot of the work that’s been done both in an ad hoc manner and by academic institutions, but the breadth and the scope of this audit is pretty unique, and as far as I’m aware, has never been done before on this scale for OpenSSL.”