Do you think of copy/paste as a security risk? You should.
Code vulnerabilities that propagate through code reuse (i.e. copy/paste) are no laughing matter. One small error, like an unchecked buffer, can find its way into tens or even hundreds of different projects and products. The risks are particularly acute when talking about code samples in open source projects. The characteristic of open source that facilitates code reuse and sharing also makes it easy for vulnerabilities to spread broadly, putting live systems at risk of compromise.
This was the situation that Waqas Nazir was looking at during a consulting engagement. Nazir is one of the founders and CEO of Digitsec, a Seattle-based security startup that focuses on assisting clients develop more secure software.
One day, Nazir and his team were doing a code review of a client’s project. During the review, they found a vulnerability that could have potentially led to an enterprise-wide compromise. In reviewing the vulnerability more closely, they realized that it was introduced from an open source code sample. While Nazir and his team fixed the client’s copy of the vulnerability, the original code sample was still out there and other projects were still reusing that sample, introducing the same vulnerability into new projects.
While the risks around code reuse have been known in the security world for a while, it’s a problem no one has been willing to tackle. The size, scope and scale of the problem is daunting to say the least. But that didn’t faze Nazir. Rather than merely fix the problem for the client and move on, he and his team decided to try and tackle the bigger problem head-on.
And so the idea for their Eliminate Vulnerable Code (EVC) project was born.
EVC is an ambitious project. The project seeks to eliminate vulnerable code from the public domain. The project is collaborative one. Nazir and Digitsec spearhead the work (Nazir is the most active contributor so far), but it’s open to anyone who wants to try and make the world a safer place.
EVC has three areas of focus:
- Open source code samples available on the web
- High profile open source projects like OpenSSL and Webkit
- Educational outreach to help foster better awareness of the problem
In working to address the problem of vulnerabilities in publicly available open source code samples, EVC works by acting as an information broker between researchers and the owners of the code samples. Contributors submit identified problems to EVC and they in turn contact the site owner with information about the problem and encourage the owner to either address the vulnerability or annotate it.
On Wednesday July 25, 2012, EVC took a step forward by launching EVC Probe, a web crawler that automatically scans for vulnerable code samples. With this in place, they hope to speed up the process of identifying vulnerable public code samples and notifying owners by automating the process.
EVC maintains an online portal where registered contributors can submit possible issues and also see the status of issues. Unlike other vulnerability brokers, the goal isn’t publicity for EVC, so reports are protected and available only to contributors.
Besides the support from Digitsec, EVC looks to sponsors to help finance the project. Right now they have one other sponsor Stach & Liu but are actively looking for others.
While EVC is seeking to make the work a better place, it’s not a separate non-profit endeavor. It’s run as a part of Digitsec’s day-to-day business. Still, for now, the goal of the project is to make the world safer by eliminating vulnerabilities in code samples and make people aware of the problem in the first place.
To help illustrate the problem, Nazir uses a rather graphic analogy. “Would you eat chewing gum off the street?” he asks. “So why would you reuse someone’s code without knowing the implications of reusing the code?”
I talked with Nazir at Digitsec’s Pioneer Square offices, just a few blocks away from the Gum Wall in Post Alley. As he said this I thought of all the gum on the wall down there. Then I thought of how that represents just a fraction of the size and scope of the problem they’re trying to solve.
Nazir knows it’s a huge problem though and has realistic goals. While the goal is to remove vulnerable code from the public domain, for him success is measured one fixed sample at a time.