SlideShare uma empresa Scribd logo

curl security - curl up 2022

Daniel Stenberg
Daniel Stenberg

A look at where we are in regards to security in the curl project. Can we do more/better ?

Software
1 de 24
Baixar para ler offline
curl security, past and present, attacks and mitigations Daniel Stenberg 2022
Safe code is not a coincidence Doesn’t happen randomly, we need to work on it! We care about it! @bagder
@bagder Clean Code Review Test Verify Bug bounty Act on mistakes
curl CI 100+ builds and test “rounds” per commit Tests code style, indenting etc Thousands of tests per build Builds and tests on tens of platforms 20-25 hours of CI per commit @bagder @bagder
Writing test cases should be easy A curl test case is a single file in a human readable well-documented format • conditions and features needed to run • what command (line) to run • what the test wants returned from a server • how the protocol exchange should look like • stdout and stderr contents • expected error code • … and more @bagder
Custom test servers We avoid using “real” servers for testing Test servers are as dumb as possible Controlled from the test case what it should send and expect Allows “crazy” behaviors and send/receive “anything” Makes the test servers smaller and simpler Helps with test suite portability TLS is done by stunnel-fronting Servers run on random port numbers @bagder
Tools of the trade Valgrind Clang sanitizers Clang tidy “torture tests” Scan-build Lgtm Lift CodeQL Monocle AI Deepcode AI Coverity Zuul CI Appveyor Cirrus CI Circle CI Github Actions Azure Pipelines Buildbots OSS-Fuzz CI-fuzz @bagder @bagder
Torture tests – error injection Build with a debug option Use wrapper functions for fallible functions Each wrapper function can optionally return error The complete individual test case is first run once count fallible function invokes rerun the test case that number of times and for each iteration make next fallible function fail Verify nothing crashed and no memory leaked Repeat for all tests @bagder
Source code policy Fix all warnings (eye roll) No defects left Use the strictest and most picky options As many tests as possible Fix security issues as soon as possible @bagder @bagder
A million build combos, 86 OSes and 22 CPUs Testing all combinations is simply not possible Test the common setups Test on as many platforms as possible Test on several different CPU architectures “white spots” in test coverage handled by review Users keep finding untested areas and build combinations @bagder
The curl bug-bounty https://hackerone.com/curl Collaboration with the Internet Bug Bounty Has paid 40,900 USD so far @bagder
Code audit pending via OSTIF: Open Source Technology Improvement Fund sponsored by OpenSSF performed by Trail of Bits during September 2022 @bagder
@bagder
@bagder
@bagder
@bagder
Fixed in next version @bagder
@bagder
But does it work? 10 billion installations is no proof ★ Maybe decreasing number of CVEs introduced ★ Decreasing number of OSS-Fuzz reports over time ★ manageable(?) number of C mistakes ★ Increasing bounty rewards @bagder
introduced “dynbuf” @bagder
@bagder
Commonalities in recent CVEs Connection reuse x 4 Metalink x 2 trailing dot x 2 redirects leak sensitive data x 2 … no clear trends @bagder
Daniel Stenberg @bagder https://daniel.haxx.se/ Thank you! Questions? @bagder
License This presentation and its contents are licensed under the Creative Commons Attribution 4.0 license: http://creativecommons.org/licenses/by/4.0/ @bagder

Recomendados

Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for security
Daniel Stenberg
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone Civetta
CocoaHeads France
 
АНДРІЙ ШУМАДА «To Cover Uncoverable» Online WDDay 2022 js
АНДРІЙ ШУМАДА «To Cover Uncoverable» Online WDDay 2022 jsАНДРІЙ ШУМАДА «To Cover Uncoverable» Online WDDay 2022 js
АНДРІЙ ШУМАДА «To Cover Uncoverable» Online WDDay 2022 js
WDDay
 
"To cover uncoverable", Andrii Shumada
"To cover uncoverable", Andrii Shumada"To cover uncoverable", Andrii Shumada
"To cover uncoverable", Andrii Shumada
Fwdays
 
Testing in a glance
Testing in a glanceTesting in a glance
Testing in a glance
Rajesh Kumar
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
Jim Driscoll
 
Writing safe and secure code
Writing safe and secure codeWriting safe and secure code
Writing safe and secure code
Daniel Stenberg
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019
Olivera Milenkovic
 

Recomendados

Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for security
Daniel Stenberg
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone Civetta
CocoaHeads France
 
АНДРІЙ ШУМАДА «To Cover Uncoverable» Online WDDay 2022 js
АНДРІЙ ШУМАДА «To Cover Uncoverable» Online WDDay 2022 jsАНДРІЙ ШУМАДА «To Cover Uncoverable» Online WDDay 2022 js
АНДРІЙ ШУМАДА «To Cover Uncoverable» Online WDDay 2022 js
WDDay
 
"To cover uncoverable", Andrii Shumada
"To cover uncoverable", Andrii Shumada"To cover uncoverable", Andrii Shumada
"To cover uncoverable", Andrii Shumada
Fwdays
 
Testing in a glance
Testing in a glanceTesting in a glance
Testing in a glance
Rajesh Kumar
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
Jim Driscoll
 
Writing safe and secure code
Writing safe and secure codeWriting safe and secure code
Writing safe and secure code
Daniel Stenberg
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019
Olivera Milenkovic
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators Families
Mohamed BOUSSAA
 
Testing distributed systems in production
Testing distributed systems in productionTesting distributed systems in production
Testing distributed systems in production
Paul Bakker
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"
DataArt
 
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
Bitbar
 
Clean Infrastructure as Code
Clean Infrastructure as CodeClean Infrastructure as Code
Clean Infrastructure as Code
QAware GmbH
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
Ran Levy
 
Testing
TestingTesting
Testing
thehoagie
 
Fuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing PerformanceFuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing Performance
Codenomicon
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Ukraine
 
Affordable trustworthy-systems
Affordable trustworthy-systemsAffordable trustworthy-systems
Affordable trustworthy-systems
microkerneldude
 
Uber Mobility Meetup: Mobile Testing
Uber Mobility Meetup: Mobile TestingUber Mobility Meetup: Mobile Testing
Uber Mobility Meetup: Mobile Testing
Apple Chow
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
How to improve code quality for iOS apps?
How to improve code quality for iOS apps?How to improve code quality for iOS apps?
How to improve code quality for iOS apps?
Kate Semizhon
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenches
Yan Cui
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-final
PacSecJP
 
Cleaner Code Through Test-Driven Development
Cleaner Code Through Test-Driven DevelopmentCleaner Code Through Test-Driven Development
Cleaner Code Through Test-Driven Development
All Things Open
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
Ashley Zupkus
 
mastering the curl command line.pdf
mastering the curl command line.pdfmastering the curl command line.pdf
mastering the curl command line.pdf
DanielStenberg7
 
Sonar Review
Sonar ReviewSonar Review
Sonar Review
Kate Semizhon
 
mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2
Daniel Stenberg
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1
Daniel Stenberg
 

Mais conteúdo relacionado

Semelhante a curl security - curl up 2022

GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators Families
Mohamed BOUSSAA
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"
DataArt
 
Clean Infrastructure as Code
Clean Infrastructure as CodeClean Infrastructure as Code
Clean Infrastructure as Code
QAware GmbH
 
Fuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing PerformanceFuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing Performance
Codenomicon
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Ukraine
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-final
PacSecJP
 

Semelhante a curl security - curl up 2022 (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators Families
 
Testing distributed systems in production
Testing distributed systems in productionTesting distributed systems in production
Testing distributed systems in production
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"
 
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
 
Clean Infrastructure as Code
Clean Infrastructure as CodeClean Infrastructure as Code
Clean Infrastructure as Code
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
 
Testing
TestingTesting
Testing
 
Fuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing PerformanceFuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing Performance
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
 
Affordable trustworthy-systems
Affordable trustworthy-systemsAffordable trustworthy-systems
Affordable trustworthy-systems
 
Uber Mobility Meetup: Mobile Testing
Uber Mobility Meetup: Mobile TestingUber Mobility Meetup: Mobile Testing
Uber Mobility Meetup: Mobile Testing
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
How to improve code quality for iOS apps?
How to improve code quality for iOS apps?How to improve code quality for iOS apps?
How to improve code quality for iOS apps?
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenches
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-final
 
Cleaner Code Through Test-Driven Development
Cleaner Code Through Test-Driven DevelopmentCleaner Code Through Test-Driven Development
Cleaner Code Through Test-Driven Development
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
mastering the curl command line.pdf
mastering the curl command line.pdfmastering the curl command line.pdf
mastering the curl command line.pdf
 
Sonar Review
Sonar ReviewSonar Review
Sonar Review
 

Mais de Daniel Stenberg

HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
Daniel Stenberg
 

Mais de Daniel Stenberg (20)

mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdf
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022
 
The state of curl 2022
The state of curl 2022The state of curl 2022
The state of curl 2022
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curl
 
Curl with rust
Curl with rustCurl with rust
Curl with rust
 
Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurl
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTP
 
Landing code in curl
Landing code in curlLanding code in curl
Landing code in curl
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurl
 
HTTP/3 in curl 2020
HTTP/3 in curl 2020HTTP/3 in curl 2020
HTTP/3 in curl 2020
 
The state of curl 2020
The state of curl 2020The state of curl 2020
The state of curl 2020
 
curl roadmap 2020
curl roadmap 2020curl roadmap 2020
curl roadmap 2020
 
curl better
curl bettercurl better
curl better
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curl
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
 

Último

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

Último (20)

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 

curl security - curl up 2022

  • 1. curl security, past and present, attacks and mitigations Daniel Stenberg 2022
  • 2. Safe code is not a coincidence Doesn’t happen randomly, we need to work on it! We care about it! @bagder
  • 4. curl CI 100+ builds and test “rounds” per commit Tests code style, indenting etc Thousands of tests per build Builds and tests on tens of platforms 20-25 hours of CI per commit @bagder @bagder
  • 5. Writing test cases should be easy A curl test case is a single file in a human readable well-documented format • conditions and features needed to run • what command (line) to run • what the test wants returned from a server • how the protocol exchange should look like • stdout and stderr contents • expected error code • … and more @bagder
  • 6. Custom test servers We avoid using “real” servers for testing Test servers are as dumb as possible Controlled from the test case what it should send and expect Allows “crazy” behaviors and send/receive “anything” Makes the test servers smaller and simpler Helps with test suite portability TLS is done by stunnel-fronting Servers run on random port numbers @bagder
  • 7. Tools of the trade Valgrind Clang sanitizers Clang tidy “torture tests” Scan-build Lgtm Lift CodeQL Monocle AI Deepcode AI Coverity Zuul CI Appveyor Cirrus CI Circle CI Github Actions Azure Pipelines Buildbots OSS-Fuzz CI-fuzz @bagder @bagder
  • 8. Torture tests – error injection Build with a debug option Use wrapper functions for fallible functions Each wrapper function can optionally return error The complete individual test case is first run once count fallible function invokes rerun the test case that number of times and for each iteration make next fallible function fail Verify nothing crashed and no memory leaked Repeat for all tests @bagder
  • 9. Source code policy Fix all warnings (eye roll) No defects left Use the strictest and most picky options As many tests as possible Fix security issues as soon as possible @bagder @bagder
  • 10. A million build combos, 86 OSes and 22 CPUs Testing all combinations is simply not possible Test the common setups Test on as many platforms as possible Test on several different CPU architectures “white spots” in test coverage handled by review Users keep finding untested areas and build combinations @bagder
  • 11. The curl bug-bounty https://hackerone.com/curl Collaboration with the Internet Bug Bounty Has paid 40,900 USD so far @bagder
  • 12. Code audit pending via OSTIF: Open Source Technology Improvement Fund sponsored by OpenSSF performed by Trail of Bits during September 2022 @bagder
  • 17. Fixed in next version @bagder
  • 19. But does it work? 10 billion installations is no proof ★ Maybe decreasing number of CVEs introduced ★ Decreasing number of OSS-Fuzz reports over time ★ manageable(?) number of C mistakes ★ Increasing bounty rewards @bagder
  • 22. Commonalities in recent CVEs Connection reuse x 4 Metalink x 2 trailing dot x 2 redirects leak sensitive data x 2 … no clear trends @bagder
  • 24. License This presentation and its contents are licensed under the Creative Commons Attribution 4.0 license: http://creativecommons.org/licenses/by/4.0/ @bagder