Testing curl for security

Daniel Stenberg
Daniel StenbergSegfault manufacturer at wolfSSL
DanielStenberg-June30th 2020 for security! Testing
Daniel Stenberg @bagderhttps://daniel.haxx.se
Daniel Stenberg @bagder
… ten billion installations across the world curl runs in... @bagder@bagder
…… devices all of you heredevices all of you here today own and use!today own and use! curl runs in @bagder@bagder
Writing safe codeWriting safe code @bagder@bagder
Safe code is not a coincidence Doesn’t happen randomly, we need to work on it! We care about it! It is about time we all address this topic! Everything I’ll tell you today, you already know! @bagder@bagder
Writing Help users use the tool and APIs safelyHelp users use the tool and APIs safely Defaults!Defaults! Document. Everything, detailed and a lot.Document. Everything, detailed and a lot. Get rid of warningsGet rid of warnings UseUse commentscomments assert()assert() Releasing the code asReleasing the code as open sourceopen source @bagder@bagder
Review All codeAll code shallshall get reviewedget reviewed CodeCode shallshall be easy to readbe easy to read and understandand understand Use theUse the same code stylesame code style everywhereeverywhere Commit message template andCommit message template and qualityquality Make sure style and templates are followed!Make sure style and templates are followed! @bagder@bagder
Test! Unit tests System tests Integration tests Test the documentation Manual tests Fixed a bug? Add a test. Or two. @bagder@bagder
Torment Valgrind, address/UB/integer sanitizersValgrind, address/UB/integer sanitizers Static code analysersStatic code analysers FuzzersFuzzers @bagder@bagder
All that, all the time For every commit For every PR All. The. Time @bagder@bagder
curl CI 80+ builds and test “rounds” per commit Tests code style, indenting etc Thousands of tests per build Builds and tests on tens of platforms 20-25 hours of CI per commit @bagder@bagder
@bagder@bagder
@bagder@bagder
The curl project’s CI sponsors Parts of the CI system run of free tiers Teamviewer sponsors Appveyor powers Travis gives us more power Azure Pipelines gives us more power @bagder@bagder
@bagder@bagder
@bagder@bagder
Writing test cases should be easy A curl test case is a single file in a human readable well-documented format • conditions and features needed to run • what command (line) to run • what the test wants returned from a server • how the protocol exchange should look like • stdout and stderr contents • expected error code • … and more @bagder@bagder
Custom test servers We avoid using “real” servers for testing Test servers are as dumb as possible Controlled from the test case what it should send and expect Allows “crazy” behaviors and send/receive “anything” Makes the test servers smaller and simpler Helps with test suite portability TLS is done by stunnel-fronting Servers run on random port numbers @bagder@bagder
Tools of the trade Valgrind Clang address, undefined, signed- integer-overflow sanitizers Clang tidy “torture tests” Scan-build Lgtm Codacy CodeQL Monocle AI Deepcode AI Coverity Travis CI Appveyor Cirrus CI Github Actions Azure Pipelines Buildbots OSS-Fuzz CI-fuzz @bagder@bagder
Torture tests – error injection Build with a “debug” option Add wrapper functions for common “fallible” functions (that allocate and free resources) Each wrapper function logs what it does and can optionally return error. The complete individual test case is first run once count how many fallible functions rerun the test case that number of times and for each iteration make next fallible function return error Verify nothing crashed and no memory leaked Repeat for all tests @bagder@bagder
Source code policy Fix all warnings (eye roll)Fix all warnings (eye roll) No defects leftNo defects left Use the strictest and most picky optionsUse the strictest and most picky options As many tests as possibleAs many tests as possible Fix security issues as soon as possibleqFix security issues as soon as possibleq @bagder@bagder
A million build combos, 70+ OSes and 20 CPUs Testing all combinations is simply not possible Test the common setups Test on as many platforms as possible Test on several different CPU architectures “white spots” in test coverage handled by review Users keep finding untested areas and build combinations @bagder@bagder
The security of curl is the sum of all components combined. - Lean on the right set! @bagder@bagder
32 third party dependencies I/O layer libcurl URL parser libidn2winidn HTTPHTTPS OpenSSL Mesalink gskit mbedTLS wolfSSL Schannel SecureTransport GnuTLS NSS boringssl libressl AmiSSL SFTP SCP LDAP WinLDAP OpenLDAP RTMP librtmp Name resolver c-ares compression libz brotli cookies libpsl IMAP SMTP POP3 HTTP/2 nghttp2 authentication winsspi Heimdal MIT kerberos HTTP/3 quiche ngtcp2 HTTP/1 SSH wolfSSH libssh2 libssh @bagder@bagder BearSSL nghttp3
Fuzz Testing in wolfSSL ● Best Tested TLS due to our extensive internal testing process ● Fuzz testing in our internal testing process is one of the reasons why ● Fuzz testing bombards the program with invalid, unexpected, and random data that then allows for observing if there is potential memory leaks or logic errors   ● Allows us to catch bugs that could turn into potential vulnerabilities ● We only use highly respected external testers: ● Guido Vranken in Holland   ● Robert Horr of T-Systemsin Germany ● Internally, we test using several different software fuzzers such as: ● in-memory fuzzer ● a network fuzzer  ● OSS-fuzz  ● libfuzzer  ● tlsfuzzer  ● AFL ● To maximize security we run 7 fuzz testers internally every night on our latest code on over 20 platforms!   @bagder@bagder
The curl bug-bounty https://hackerone.com/curl Pays rewards using donated money Rewards up to 12,000 USD for a critical flaw Has paid 2,300 USD so far Increasing bounty amounts @bagder@bagder
@bagder@bagder
University researchers looking for a class of bugs Get involved! Corporate security researchers who’s companies consume curl Pen testers who want to find something big and widespread Security enthusiasts looking for a reward and “fame” @bagder@bagder
There’s one more thing curl has @bagder@bagder
Full-time curl maintainer @bagder@bagder
Bad things will happen We are not immune, no matter how hard we try! Act immediately Own the problem Fix it and announce it Learn from it Make it harder to do the same mistake again @bagder@bagder
But does it work? 10 billion installations is no proof ✔ Decreasing number of CVEs over time ✔ Decreasing number of OSS-Fuzz reports over time ✔ Increasing bounty rewards @bagder@bagder
Reported security vulnerabilities per year @bagder@bagder
CRTTA @bagder@bagder
Clean code Review Test Torment Act on mistakes @bagder@bagder
Daniel Stenberg @bagder https://daniel.haxx.se/ Thank you!Thank you! Questions?Questions? @bagder@bagder
License This presentation and its contents are licensed under the Creative Commons Attribution 4.0 license: http://creativecommons.org/licenses/by/4.0/ @bagder@bagder
1 of 39

Testing curl for security

Download to read offline
Software

Daniel Stenberg's presentation done on June 30, 2020 about curl testing, CI, QA, fuzzing and more.

Daniel Stenberg
Daniel StenbergSegfault manufacturer at wolfSSL

Recommended

Getting started with libcurl by
Getting started with libcurlGetting started with libcurl
Getting started with libcurlDaniel Stenberg
328 views40 slides
HTTP/3 in curl 2020 by
HTTP/3 in curl 2020HTTP/3 in curl 2020
HTTP/3 in curl 2020Daniel Stenberg
947 views51 slides
Landing code in curl by
Landing code in curlLanding code in curl
Landing code in curlDaniel Stenberg
1.3K views30 slides
HTTP/3 in curl by
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curlDaniel Stenberg
1.9K views39 slides
common mistakes when using libcurl by
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurlDaniel Stenberg
1.1K views57 slides
HTTP/3 is next generation HTTP by
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPDaniel Stenberg
490 views62 slides

More Related Content

What's hot

HTTP/3 for everyone by
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyoneDaniel Stenberg
1.1K views66 slides
HTTP/3, QUIC and streaming by
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingDaniel Stenberg
1.8K views61 slides
The state of curl 2020 by
The state of curl 2020The state of curl 2020
The state of curl 2020Daniel Stenberg
675 views84 slides
curl - a hobby project that conquered the world by
curl - a hobby project that conquered the worldcurl - a hobby project that conquered the world
curl - a hobby project that conquered the worldDaniel Stenberg
2.1K views70 slides
Curl with rust by
Curl with rustCurl with rust
Curl with rustDaniel Stenberg
488 views41 slides
Let me tell you about curl by
Let me tell you about curlLet me tell you about curl
Let me tell you about curlDaniel Stenberg
210 views70 slides

What's hot(20)

HTTP/3 for everyone by Daniel Stenberg
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
Daniel Stenberg1.1K views
HTTP/3, QUIC and streaming by Daniel Stenberg
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
Daniel Stenberg1.8K views
The state of curl 2020 by Daniel Stenberg
The state of curl 2020The state of curl 2020
The state of curl 2020
Daniel Stenberg675 views
curl - a hobby project that conquered the world by Daniel Stenberg
curl - a hobby project that conquered the worldcurl - a hobby project that conquered the world
curl - a hobby project that conquered the world
Daniel Stenberg2.1K views
Curl with rust by Daniel Stenberg
Curl with rustCurl with rust
Curl with rust
Daniel Stenberg488 views
Let me tell you about curl by Daniel Stenberg
Let me tell you about curlLet me tell you about curl
Let me tell you about curl
Daniel Stenberg210 views
Scapy talk by Ashwin Patil, GCIH, GCIA, GCFE
Scapy talkScapy talk
Scapy talk
Ashwin Patil, GCIH, GCIA, GCFE2.8K views
Who Broke My Crypto by John Varghese
Who Broke My CryptoWho Broke My Crypto
Who Broke My Crypto
John Varghese18 views
Re-thinking Performance tuning with HTTP2 by Vinci Rufus
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2
Vinci Rufus863 views
Ruby Security the Hard Way by Hiroshi SHIBATA
Ruby Security the Hard WayRuby Security the Hard Way
Ruby Security the Hard Way
Hiroshi SHIBATA726 views
マイクロサービスバックエンドAPIのためのRESTとgRPC by disc99_
マイクロサービスバックエンドAPIのためのRESTとgRPCマイクロサービスバックエンドAPIのためのRESTとgRPC
マイクロサービスバックエンドAPIのためのRESTとgRPC
disc99_19.9K views
Writing a fast HTTP parser by fukamachi
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parser
fukamachi7.3K views
Woo: Writing a fast web server @ ELS2015 by fukamachi
Woo: Writing a fast web server @ ELS2015Woo: Writing a fast web server @ ELS2015
Woo: Writing a fast web server @ ELS2015
fukamachi9.7K views
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ... by PROIDEA
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
PROIDEA312 views
Chenli linux-kerne-community by 力 陈
Chenli linux-kerne-communityChenli linux-kerne-community
Chenli linux-kerne-community
力 陈24 views
Building GUI App with Electron and Lisp by fukamachi
Building GUI App with Electron and LispBuilding GUI App with Electron and Lisp
Building GUI App with Electron and Lisp
fukamachi20.4K views
Cryptocurrency && Ruby by Dilum Navanjana
Cryptocurrency && RubyCryptocurrency && Ruby
Cryptocurrency && Ruby
Dilum Navanjana330 views
OSS Security the hard way by Hiroshi SHIBATA
OSS Security the hard wayOSS Security the hard way
OSS Security the hard way
Hiroshi SHIBATA4.5K views
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP by Fastly
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly1.3K views
Dhcp security #netseckh by HEM Sothon
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckh
HEM Sothon202 views

Similar to Testing curl for security

curl security - curl up 2022 by
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022Daniel Stenberg
28 views24 slides
Us 17-krug-hacking-severless-runtimes by
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesRavishankar Somasundaram
58 views108 slides
Coding for production by
Coding for productionCoding for production
Coding for productionjehiah
337 views13 slides
Fedora Developer's Conference 2014 Talk by
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkRainer Gerhards
3.5K views29 slides
BSides London 2015 - Proprietary network protocols - risky business on the wire. by
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
395 views79 slides
D1 t1 t. yunusov k. nesterov - bootkit via sms by
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
4.8K views84 slides

Similar to Testing curl for security(20)

curl security - curl up 2022 by Daniel Stenberg
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022
Daniel Stenberg28 views
Us 17-krug-hacking-severless-runtimes by Ravishankar Somasundaram
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram58 views
Coding for production by jehiah
Coding for productionCoding for production
Coding for production
jehiah337 views
Fedora Developer's Conference 2014 Talk by Rainer Gerhards
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 Talk
Rainer Gerhards3.5K views
BSides London 2015 - Proprietary network protocols - risky business on the wire. by Jakub Kałużny
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny395 views
D1 t1 t. yunusov k. nesterov - bootkit via sms by qqlan
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan4.8K views
FBI & Secret Service- Business Email Compromise Workshop by Ernest Staats
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats104 views
Total E(A)gression defcon by Alvaro Folgado Rueda
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
Alvaro Folgado Rueda164 views
Sectools by securedome
SectoolsSectools
Sectools
securedome1.5K views
aaa by hungnhatban
aaaaaa
aaa
hungnhatban712 views
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli by Priyanka Aash
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash3.5K views
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for... by Alexandre Moneger
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger892 views
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro... by Codemotion
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Codemotion52 views
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro... by Codemotion
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Codemotion54 views
Crypto failures every developer should avoid by OwaspCzech
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
OwaspCzech892 views
Crypto failures every developer should avoid by Filip Šebesta
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
Filip Šebesta354 views
TSC Summit #3 - Reverse engineering and anti debugging techniques by Mikal Villa
TSC Summit #3 - Reverse engineering and anti debugging techniquesTSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniques
Mikal Villa422 views
Infosecurity.be 2019: What are relevant open source security tools you should... by B.A.
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.835 views
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ... by Zoltan Balazs
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs10.1K views
12 tricks to avoid hackers breaks your CI / CD by Daniel Garcia (a.k.a cr0hn)
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
Daniel Garcia (a.k.a cr0hn)571 views

More from Daniel Stenberg

mastering libcurl part 2 by
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2Daniel Stenberg
16 views99 slides
mastering libcurl part 1 by
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1Daniel Stenberg
38 views88 slides
curl - openfourm europe.pdf by
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdfDaniel Stenberg
44 views46 slides
curl experiments - curl up 2022 by
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022Daniel Stenberg
24 views11 slides
HTTP/3 in curl - curl up 2022 by
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022Daniel Stenberg
121 views40 slides
The state of curl 2022 by
The state of curl 2022The state of curl 2022
The state of curl 2022Daniel Stenberg
43 views98 slides

More from Daniel Stenberg(15)

mastering libcurl part 2 by Daniel Stenberg
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2
Daniel Stenberg16 views
mastering libcurl part 1 by Daniel Stenberg
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1
Daniel Stenberg38 views
curl - openfourm europe.pdf by Daniel Stenberg
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdf
Daniel Stenberg44 views
curl experiments - curl up 2022 by Daniel Stenberg
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022
Daniel Stenberg24 views
HTTP/3 in curl - curl up 2022 by Daniel Stenberg
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022
Daniel Stenberg121 views
The state of curl 2022 by Daniel Stenberg
The state of curl 2022The state of curl 2022
The state of curl 2022
Daniel Stenberg43 views
HTTP/3 over QUIC. All is new but still the same! by Daniel Stenberg
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
Daniel Stenberg956 views
Just curl it! by Daniel Stenberg
Just curl it!Just curl it!
Just curl it!
Daniel Stenberg1.2K views
Http3 fullstackfest-2019 by Daniel Stenberg
Http3 fullstackfest-2019Http3 fullstackfest-2019
Http3 fullstackfest-2019
Daniel Stenberg1.3K views
Writing safe and secure code by Daniel Stenberg
Writing safe and secure codeWriting safe and secure code
Writing safe and secure code
Daniel Stenberg877 views
The state of curl 2019 by Daniel Stenberg
The state of curl 2019The state of curl 2019
The state of curl 2019
Daniel Stenberg984 views
DNS over HTTPS by Daniel Stenberg
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
Daniel Stenberg2K views
Säker kod (secure code) by Daniel Stenberg
Säker kod (secure code)Säker kod (secure code)
Säker kod (secure code)
Daniel Stenberg242 views
HTTP/3 by Daniel Stenberg
HTTP/3HTTP/3
HTTP/3
Daniel Stenberg6K views
You know what's cool? Running on a billion devices by Daniel Stenberg
You know what's cool? Running on a billion devicesYou know what's cool? Running on a billion devices
You know what's cool? Running on a billion devices
Daniel Stenberg1.1K views

Recently uploaded

Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI... by
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...Marc Müller
36 views83 slides
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J... by
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...Deltares
9 views24 slides
Advanced API Mocking Techniques by
Advanced API Mocking TechniquesAdvanced API Mocking Techniques
Advanced API Mocking TechniquesDimpy Adhikary
19 views11 slides
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge... by
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...Deltares
16 views12 slides
A first look at MariaDB 11.x features and ideas on how to use them by
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use themFederico Razzoli
45 views36 slides
Citi TechTalk Session 2: Kafka Deep Dive by
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Diveconfluent
17 views60 slides

Recently uploaded(20)

Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI... by Marc Müller
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Marc Müller36 views
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J... by Deltares
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...
Deltares9 views
Advanced API Mocking Techniques by Dimpy Adhikary
Advanced API Mocking TechniquesAdvanced API Mocking Techniques
Advanced API Mocking Techniques
Dimpy Adhikary19 views
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge... by Deltares
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
Deltares16 views
A first look at MariaDB 11.x features and ideas on how to use them by Federico Razzoli
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use them
Federico Razzoli45 views
Citi TechTalk Session 2: Kafka Deep Dive by confluent
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
confluent17 views
Software evolution understanding: Automatic extraction of software identifier... by Ra'Fat Al-Msie'deen
Software evolution understanding: Automatic extraction of software identifier...Software evolution understanding: Automatic extraction of software identifier...
Software evolution understanding: Automatic extraction of software identifier...
Ra'Fat Al-Msie'deen7 views
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ... by Donato Onofri
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Donato Onofri711 views
What Can Employee Monitoring Software Do?​ by wAnywhere
What Can Employee Monitoring Software Do?​What Can Employee Monitoring Software Do?​
What Can Employee Monitoring Software Do?​
wAnywhere21 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm13 views
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports by Ra'Fat Al-Msie'deen
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug ReportsBushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports
Ra'Fat Al-Msie'deen5 views
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker by Deltares
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
Deltares9 views
Software testing company in India.pptx by SakshiPatel82
Software testing company in India.pptxSoftware testing company in India.pptx
Software testing company in India.pptx
SakshiPatel827 views
Winter '24 Release Chat.pdf by melbourneauuser
Winter '24 Release Chat.pdfWinter '24 Release Chat.pdf
Winter '24 Release Chat.pdf
melbourneauuser9 views
MariaDB stored procedures and why they should be improved by Federico Razzoli
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improved
Federico Razzoli8 views
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan... by Deltares
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
Deltares11 views
Fleet Management Software in India by Fleetable
Fleet Management Software in India Fleet Management Software in India
Fleet Management Software in India
Fleetable11 views
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra... by Marc Müller
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra....NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
Marc Müller38 views
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t... by Deltares
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...
Deltares9 views
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023 by Icinga
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Icinga38 views

Testing curl for security

  • 4. … ten billion installations across the world curl runs in... @bagder@bagder
  • 5. …… devices all of you heredevices all of you here today own and use!today own and use! curl runs in @bagder@bagder
  • 6. Writing safe codeWriting safe code @bagder@bagder
  • 7. Safe code is not a coincidence Doesn’t happen randomly, we need to work on it! We care about it! It is about time we all address this topic! Everything I’ll tell you today, you already know! @bagder@bagder
  • 8. Writing Help users use the tool and APIs safelyHelp users use the tool and APIs safely Defaults!Defaults! Document. Everything, detailed and a lot.Document. Everything, detailed and a lot. Get rid of warningsGet rid of warnings UseUse commentscomments assert()assert() Releasing the code asReleasing the code as open sourceopen source @bagder@bagder
  • 9. Review All codeAll code shallshall get reviewedget reviewed CodeCode shallshall be easy to readbe easy to read and understandand understand Use theUse the same code stylesame code style everywhereeverywhere Commit message template andCommit message template and qualityquality Make sure style and templates are followed!Make sure style and templates are followed! @bagder@bagder
  • 10. Test! Unit tests System tests Integration tests Test the documentation Manual tests Fixed a bug? Add a test. Or two. @bagder@bagder
  • 11. Torment Valgrind, address/UB/integer sanitizersValgrind, address/UB/integer sanitizers Static code analysersStatic code analysers FuzzersFuzzers @bagder@bagder
  • 12. All that, all the time For every commit For every PR All. The. Time @bagder@bagder
  • 13. curl CI 80+ builds and test “rounds” per commit Tests code style, indenting etc Thousands of tests per build Builds and tests on tens of platforms 20-25 hours of CI per commit @bagder@bagder
  • 16. The curl project’s CI sponsors Parts of the CI system run of free tiers Teamviewer sponsors Appveyor powers Travis gives us more power Azure Pipelines gives us more power @bagder@bagder
  • 19. Writing test cases should be easy A curl test case is a single file in a human readable well-documented format • conditions and features needed to run • what command (line) to run • what the test wants returned from a server • how the protocol exchange should look like • stdout and stderr contents • expected error code • … and more @bagder@bagder
  • 20. Custom test servers We avoid using “real” servers for testing Test servers are as dumb as possible Controlled from the test case what it should send and expect Allows “crazy” behaviors and send/receive “anything” Makes the test servers smaller and simpler Helps with test suite portability TLS is done by stunnel-fronting Servers run on random port numbers @bagder@bagder
  • 21. Tools of the trade Valgrind Clang address, undefined, signed- integer-overflow sanitizers Clang tidy “torture tests” Scan-build Lgtm Codacy CodeQL Monocle AI Deepcode AI Coverity Travis CI Appveyor Cirrus CI Github Actions Azure Pipelines Buildbots OSS-Fuzz CI-fuzz @bagder@bagder
  • 22. Torture tests – error injection Build with a “debug” option Add wrapper functions for common “fallible” functions (that allocate and free resources) Each wrapper function logs what it does and can optionally return error. The complete individual test case is first run once count how many fallible functions rerun the test case that number of times and for each iteration make next fallible function return error Verify nothing crashed and no memory leaked Repeat for all tests @bagder@bagder
  • 23. Source code policy Fix all warnings (eye roll)Fix all warnings (eye roll) No defects leftNo defects left Use the strictest and most picky optionsUse the strictest and most picky options As many tests as possibleAs many tests as possible Fix security issues as soon as possibleqFix security issues as soon as possibleq @bagder@bagder
  • 24. A million build combos, 70+ OSes and 20 CPUs Testing all combinations is simply not possible Test the common setups Test on as many platforms as possible Test on several different CPU architectures “white spots” in test coverage handled by review Users keep finding untested areas and build combinations @bagder@bagder
  • 25. The security of curl is the sum of all components combined. - Lean on the right set! @bagder@bagder
  • 26. 32 third party dependencies I/O layer libcurl URL parser libidn2winidn HTTPHTTPS OpenSSL Mesalink gskit mbedTLS wolfSSL Schannel SecureTransport GnuTLS NSS boringssl libressl AmiSSL SFTP SCP LDAP WinLDAP OpenLDAP RTMP librtmp Name resolver c-ares compression libz brotli cookies libpsl IMAP SMTP POP3 HTTP/2 nghttp2 authentication winsspi Heimdal MIT kerberos HTTP/3 quiche ngtcp2 HTTP/1 SSH wolfSSH libssh2 libssh @bagder@bagder BearSSL nghttp3
  • 27. Fuzz Testing in wolfSSL ● Best Tested TLS due to our extensive internal testing process ● Fuzz testing in our internal testing process is one of the reasons why ● Fuzz testing bombards the program with invalid, unexpected, and random data that then allows for observing if there is potential memory leaks or logic errors   ● Allows us to catch bugs that could turn into potential vulnerabilities ● We only use highly respected external testers: ● Guido Vranken in Holland   ● Robert Horr of T-Systemsin Germany ● Internally, we test using several different software fuzzers such as: ● in-memory fuzzer ● a network fuzzer  ● OSS-fuzz  ● libfuzzer  ● tlsfuzzer  ● AFL ● To maximize security we run 7 fuzz testers internally every night on our latest code on over 20 platforms!   @bagder@bagder
  • 28. The curl bug-bounty https://hackerone.com/curl Pays rewards using donated money Rewards up to 12,000 USD for a critical flaw Has paid 2,300 USD so far Increasing bounty amounts @bagder@bagder
  • 30. University researchers looking for a class of bugs Get involved! Corporate security researchers who’s companies consume curl Pen testers who want to find something big and widespread Security enthusiasts looking for a reward and “fame” @bagder@bagder
  • 31. There’s one more thing curl has @bagder@bagder
  • 33. Bad things will happen We are not immune, no matter how hard we try! Act immediately Own the problem Fix it and announce it Learn from it Make it harder to do the same mistake again @bagder@bagder
  • 34. But does it work? 10 billion installations is no proof ✔ Decreasing number of CVEs over time ✔ Decreasing number of OSS-Fuzz reports over time ✔ Increasing bounty rewards @bagder@bagder
  • 35. Reported security vulnerabilities per year @bagder@bagder
  • 37. Clean code Review Test Torment Act on mistakes @bagder@bagder
  • 38. Daniel Stenberg @bagder https://daniel.haxx.se/ Thank you!Thank you! Questions?Questions? @bagder@bagder
  • 39. License This presentation and its contents are licensed under the Creative Commons Attribution 4.0 license: http://creativecommons.org/licenses/by/4.0/ @bagder@bagder