OpenSSL Audit
The reputation built up by NCC Group, including iSEC Partners, Matasano Security, Intrepidus Group, and NGS Secure, has led companies large and small to turn to us for their security needs. We audit everything from kernels and hypervisors all the way up the stack to mobile and web applications. And the Cryptography Services practice has been able to channel that expertise into a specific corner of security, allowing that investment to pay dividends in research, actionable intelligence for our clients, and give us the opportunity to work on some of the most exciting projects out there.
Including OpenSSL.
As part of the Linux Foundation’s Core Infrastructure Initiative, and organized by the Open Crypto Audit Project, we’re going to be conducting an audit of one of the most widely deployed pieces of software in the world. This audit had been mentioned before, absent details, but with the effort OpenSSL has been making we finally feel the codebase is stable enough to announce and undertake this now. OpenSSL has been reviewed and improved by the Academic community, commercial static analyzer companies, validation organizations, and individual review over the years - but this audit may be the largest effort to review it, and is definitely the most public. Serious flaws in OpenSSL cause the whole Internet to upgrade, and in the case of flaws like Heartbleed and EarlyCCS, upgrade in a rush.
We know that with what may be the highest profile audit conducted on an open source piece of software, the Internet is watching. The audit’s primary focus is on the TLS stacks, covering protocol flow, state transitions, and memory management. We’ll also be looking at the BIOs, most of the high-profile cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers. While the audit won’t cover every single corner of the codebase, we believe it will be a useful component of the broader efforts being undertaken to improve OpenSSL’s engineering and security. This is a fairly large audit, so we expect the preliminary results to start coming out towards the beginning of the Summer after we coordinate with the OpenSSL team.
The Linux Foundation’s efforts for Core Infrastructure are really starting to pick up steam - besides this OpenSSL audit, they’re also figuring out how to provide shared resources for testing and development, and conducting an initiative to survey hundreds of open source projects for development resources and exposure. This is an unprecedented drive towards improving security for open source software, and NCC Group is excited to be a part of it.