SlideShare a Scribd company logo
1 of 24
Download to read offline
curl security, past and
present, attacks and
mitigations
Daniel Stenberg
2022
Safe code is not a coincidence
Doesn’t happen randomly, we need to work on it!
We care about it!
@bagder
@bagder
Clean Code
Review
Test
Verify
Bug bounty
Act on mistakes
curl CI
100+ builds and test “rounds” per commit
Tests code style, indenting etc
Thousands of tests per build
Builds and tests on tens of platforms
20-25 hours of CI per commit
@bagder
@bagder
Writing test cases should be easy
A curl test case is a single file in a human readable
well-documented format
• conditions and features needed to run
• what command (line) to run
• what the test wants returned from a server
• how the protocol exchange should look like
• stdout and stderr contents
• expected error code
• … and more
@bagder
Custom test servers
We avoid using “real” servers for testing
Test servers are as dumb as possible
Controlled from the test case what it should send and expect
Allows “crazy” behaviors and send/receive “anything”
Makes the test servers smaller and simpler
Helps with test suite portability
TLS is done by stunnel-fronting
Servers run on random port numbers
@bagder
Tools of the trade
Valgrind
Clang sanitizers
Clang tidy
“torture tests”
Scan-build
Lgtm
Lift
CodeQL
Monocle AI
Deepcode AI
Coverity
Zuul CI
Appveyor
Cirrus CI
Circle CI
Github Actions
Azure Pipelines
Buildbots
OSS-Fuzz
CI-fuzz
@bagder
@bagder
Torture tests – error injection
Build with a debug option
Use wrapper functions for fallible
functions
Each wrapper function can
optionally return error
The complete individual test case
is first run once
count fallible function invokes
rerun the test case that number of
times and for each iteration make
next fallible function fail
Verify nothing crashed and no
memory leaked
Repeat for all tests
@bagder
Source code policy
Fix all warnings (eye roll)
No defects left
Use the strictest and most picky options
As many tests as possible
Fix security issues as soon as possible
@bagder
@bagder
A million build combos, 86 OSes and 22 CPUs
Testing all combinations is simply not possible
Test the common setups
Test on as many platforms as possible
Test on several different CPU architectures
“white spots” in test coverage handled by review
Users keep finding untested areas and build combinations
@bagder
The curl bug-bounty
https://hackerone.com/curl
Collaboration with the Internet Bug Bounty
Has paid 40,900 USD so far
@bagder
Code audit pending
via OSTIF: Open Source Technology Improvement Fund
sponsored by OpenSSF
performed by Trail of Bits
during September 2022
@bagder
@bagder
@bagder
@bagder
@bagder
Fixed in next version
@bagder
@bagder
But does it work?
10 billion installations is no proof
★ Maybe decreasing number of CVEs introduced
★ Decreasing number of OSS-Fuzz reports over time
★ manageable(?) number of C mistakes
★ Increasing bounty rewards
@bagder
introduced “dynbuf”
@bagder
@bagder
Commonalities in recent CVEs
Connection reuse x 4
Metalink x 2
trailing dot x 2
redirects leak sensitive data x 2
… no clear trends
@bagder
Daniel Stenberg
@bagder
https://daniel.haxx.se/
Thank you!
Questions?
@bagder
License
This presentation and its contents are
licensed under the Creative Commons
Attribution 4.0 license:
http://creativecommons.org/licenses/by/4.0/
@bagder

More Related Content

Similar to curl security - curl up 2022

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesMohamed BOUSSAA
 
Testing distributed systems in production
Testing distributed systems in productionTesting distributed systems in production
Testing distributed systems in productionPaul Bakker
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"DataArt
 
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)Bitbar
 
Clean Infrastructure as Code
Clean Infrastructure as CodeClean Infrastructure as Code
Clean Infrastructure as CodeQAware GmbH
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing Ran Levy
 
Fuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing PerformanceFuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing PerformanceCodenomicon
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Ukraine
 
Affordable trustworthy-systems
Affordable trustworthy-systemsAffordable trustworthy-systems
Affordable trustworthy-systemsmicrokerneldude
 
Uber Mobility Meetup: Mobile Testing
Uber Mobility Meetup:  Mobile TestingUber Mobility Meetup:  Mobile Testing
Uber Mobility Meetup: Mobile TestingApple Chow
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
How to improve code quality for iOS apps?
How to improve code quality for iOS apps?How to improve code quality for iOS apps?
How to improve code quality for iOS apps?Kate Semizhon
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenchesYan Cui
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalPacSecJP
 
Cleaner Code Through Test-Driven Development
Cleaner Code Through Test-Driven DevelopmentCleaner Code Through Test-Driven Development
Cleaner Code Through Test-Driven DevelopmentAll Things Open
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
mastering the curl command line.pdf
mastering the curl command line.pdfmastering the curl command line.pdf
mastering the curl command line.pdfDanielStenberg7
 

Similar to curl security - curl up 2022 (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators Families
 
Testing distributed systems in production
Testing distributed systems in productionTesting distributed systems in production
Testing distributed systems in production
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"
 
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
 
Clean Infrastructure as Code
Clean Infrastructure as CodeClean Infrastructure as Code
Clean Infrastructure as Code
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
 
Testing
TestingTesting
Testing
 
Fuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing PerformanceFuzzing101 - webinar on Fuzzing Performance
Fuzzing101 - webinar on Fuzzing Performance
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
 
Affordable trustworthy-systems
Affordable trustworthy-systemsAffordable trustworthy-systems
Affordable trustworthy-systems
 
Uber Mobility Meetup: Mobile Testing
Uber Mobility Meetup:  Mobile TestingUber Mobility Meetup:  Mobile Testing
Uber Mobility Meetup: Mobile Testing
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
How to improve code quality for iOS apps?
How to improve code quality for iOS apps?How to improve code quality for iOS apps?
How to improve code quality for iOS apps?
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenches
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-final
 
Cleaner Code Through Test-Driven Development
Cleaner Code Through Test-Driven DevelopmentCleaner Code Through Test-Driven Development
Cleaner Code Through Test-Driven Development
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
mastering the curl command line.pdf
mastering the curl command line.pdfmastering the curl command line.pdf
mastering the curl command line.pdf
 
Sonar Review
Sonar ReviewSonar Review
Sonar Review
 

More from Daniel Stenberg

mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2Daniel Stenberg
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1Daniel Stenberg
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdfDaniel Stenberg
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022Daniel Stenberg
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022Daniel Stenberg
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curlDaniel Stenberg
 
Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurlDaniel Stenberg
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPDaniel Stenberg
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurlDaniel Stenberg
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingDaniel Stenberg
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
 

More from Daniel Stenberg (20)

mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdf
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022
 
The state of curl 2022
The state of curl 2022The state of curl 2022
The state of curl 2022
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curl
 
Curl with rust
Curl with rustCurl with rust
Curl with rust
 
Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurl
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTP
 
Landing code in curl
Landing code in curlLanding code in curl
Landing code in curl
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurl
 
HTTP/3 in curl 2020
HTTP/3 in curl 2020HTTP/3 in curl 2020
HTTP/3 in curl 2020
 
The state of curl 2020
The state of curl 2020The state of curl 2020
The state of curl 2020
 
curl roadmap 2020
curl roadmap 2020curl roadmap 2020
curl roadmap 2020
 
curl better
curl bettercurl better
curl better
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curl
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
 

Recently uploaded

A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING  RIVER  WATER QUALITY  ppt presentationPREDICTING  RIVER  WATER QUALITY  ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 

Recently uploaded (20)

A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING  RIVER  WATER QUALITY  ppt presentationPREDICTING  RIVER  WATER QUALITY  ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 

curl security - curl up 2022

  • 1. curl security, past and present, attacks and mitigations Daniel Stenberg 2022
  • 2. Safe code is not a coincidence Doesn’t happen randomly, we need to work on it! We care about it! @bagder
  • 4. curl CI 100+ builds and test “rounds” per commit Tests code style, indenting etc Thousands of tests per build Builds and tests on tens of platforms 20-25 hours of CI per commit @bagder @bagder
  • 5. Writing test cases should be easy A curl test case is a single file in a human readable well-documented format • conditions and features needed to run • what command (line) to run • what the test wants returned from a server • how the protocol exchange should look like • stdout and stderr contents • expected error code • … and more @bagder
  • 6. Custom test servers We avoid using “real” servers for testing Test servers are as dumb as possible Controlled from the test case what it should send and expect Allows “crazy” behaviors and send/receive “anything” Makes the test servers smaller and simpler Helps with test suite portability TLS is done by stunnel-fronting Servers run on random port numbers @bagder
  • 7. Tools of the trade Valgrind Clang sanitizers Clang tidy “torture tests” Scan-build Lgtm Lift CodeQL Monocle AI Deepcode AI Coverity Zuul CI Appveyor Cirrus CI Circle CI Github Actions Azure Pipelines Buildbots OSS-Fuzz CI-fuzz @bagder @bagder
  • 8. Torture tests – error injection Build with a debug option Use wrapper functions for fallible functions Each wrapper function can optionally return error The complete individual test case is first run once count fallible function invokes rerun the test case that number of times and for each iteration make next fallible function fail Verify nothing crashed and no memory leaked Repeat for all tests @bagder
  • 9. Source code policy Fix all warnings (eye roll) No defects left Use the strictest and most picky options As many tests as possible Fix security issues as soon as possible @bagder @bagder
  • 10. A million build combos, 86 OSes and 22 CPUs Testing all combinations is simply not possible Test the common setups Test on as many platforms as possible Test on several different CPU architectures “white spots” in test coverage handled by review Users keep finding untested areas and build combinations @bagder
  • 11. The curl bug-bounty https://hackerone.com/curl Collaboration with the Internet Bug Bounty Has paid 40,900 USD so far @bagder
  • 12. Code audit pending via OSTIF: Open Source Technology Improvement Fund sponsored by OpenSSF performed by Trail of Bits during September 2022 @bagder
  • 17. Fixed in next version @bagder
  • 19. But does it work? 10 billion installations is no proof ★ Maybe decreasing number of CVEs introduced ★ Decreasing number of OSS-Fuzz reports over time ★ manageable(?) number of C mistakes ★ Increasing bounty rewards @bagder
  • 22. Commonalities in recent CVEs Connection reuse x 4 Metalink x 2 trailing dot x 2 redirects leak sensitive data x 2 … no clear trends @bagder
  • 24. License This presentation and its contents are licensed under the Creative Commons Attribution 4.0 license: http://creativecommons.org/licenses/by/4.0/ @bagder