DHS gears up for research phase of open source bug hunt


Author: Michael Stutz

It’s been nearly a year since the US Department of Homeland Security (DHS) announced the “vulnerability discovery and remediation open source hardening project,” a $1.24 million, three-year grant through its research and development arm, the Directorate for Science and Technology. Now, the security project is entering its research phase.

“The idea behind the project was to do an initial review of a number of open source packages using a tool that was originally developed by Stanford and then commercialized by Coverity,” says Dr. Douglas Maughan, program manager at DHS.

“They’ve done that, and the idea is to take the results of that work and feed it back into Stanford for some additional research to improve their methods of software vulnerability discovery, with the idea that in the third year [of the grant] that the research done during this year would then feed into the next generation of the product.”

Maughan says that the results of the project are already being used by the government. “I know that some of the results have been fed into the National Cyber Security Division, which is a sister part of DHS, and they’re looking at the software assurance from a bigger picture, and I know that they’ve had a couple of workshops and the Coverity people have been at those workshops. So there’s an attempt to try to take the results and feed it back into real-world things that are of interest to DHS.”

More on the way

Ben Chelf, CTO of Coverity, says that the project currently performs security audits on 51 different open source software packages — including Apache, Mozilla, MySQL, Sendmail, and the Linux kernel itself — but they plan to add more.

“Over the next two years, we’re going to be steadily adding new projects,” says Chelf. “We want to put this capability in the hands of as many open source teams as possible.”

Chelf also says that Coverity plans to work closely with various open source project teams in order to discover new ways that it can assist with their software development and QA processes. And in conjunction with researchers at Stanford University, Coverity is actively working on the development of “new advanced checkers” whose purpose is to help it “identify more defects and security vulnerabilities of the most frustrating and dangerous varieties.”

“I think it’ll probably be in the first quarter of next year where you’ll start to see some results — keeping in mind that you can never time research to know when it will pan out,” says Maughan, “but the goal is that the results of that research would then be fed back in through Coverity in the third year.”

Chelf says that the automated process they have put in place will only help make open source software better and more secure.

“Finding bugs through old-fashioned code review is a grueling, manpower-intensive task, and open source development teams don’t always have the resources, so they appreciate getting actionable results that help them make their code better, faster,” says Chelf.

He describes it as a win-win-win situation: “The open source teams get help in finding and fixing bugs in their code, we get the resources to further refine our technology, and users get higher-quality software.”

Already proven results

Maughan says he is pleased with the way the project has advanced in its first year.

“We’re very happy with the results they’ve achieved, the things that have been learned, what works, what doesn’t work,” he says.

The project infrastructure was in place by March, which was when the first round of audit results came back. Within weeks, the company was able to announce that, based on the DHS-sponsored auditing, free software developers find and correct a software bug every six minutes. One of the bugs identified and fixed was the biggest X Window System vulnerability this decade.

“Nobody found that, it had been in the software for years, and with this DHS effort that was one of the things that they found during their analysis of some of these major packages,” says Maughan.

As a result of the project, more than 4,000 bugs in open source software have already been identified and fixed, including a number of serious, crash-worthy bugs in the Mozilla codebase — those marked in Bugzilla at the two highest severity levels of “blocker” and “critical” — that were found this summer in the months before the awaited release of Firefox 2.0.

US government’s use of FOSS

Maughan, who was previously involved in an open source program at DARPA, says that the project happened because there is a reliance within the US government on Linux, open source applications, and other open source software. In particular, he says that the Department of Defense (DOD) is already using a lot of it.

“We’ve done a study, we have a report, it’s documented,” Maughan says, pointing to a study done by MITRE in 2001 which showed that just in the DOD alone there were more than 200 open source software packages deployed within its infrastructure. And while the same study hasn’t yet been conducted in DHS, Maughan says he expects the results to be similar. Indeed, since its formation in 2001, DHS has been seen switching to open source for various software including its Web servers.

“The mindset that we used as we did the research solicitation was, ‘The government is a big user of open source and very dependent on it, and so therefore we feel like we should try to make it better.’ That’s the model that we’re trying to use,” says Maughan.

While a DHS spokesman is quick to clarify that the DHS is not in the business of endorsing anything, Maughan says that the point is government usage, not endorsement: “The government is using many of these open source packages,” says Maughan. “Whether use constitutes endorsement, that’s up to the lawyers, but the real issue here is, ‘We’re using it, many of these are critical open source packages that have been around for a long time, we should try to help make them better.'”

According to Chelf, this heavy government use and the fact that this project was initiated by the DHS to begin with are two big, undeniable validations for FOSS.

“The fact that open source is now deployed in so much critical infrastructure and that the federal government is sitting up and taking notice,” says Chelf, “is further proof of open source’s tremendous penetration and growth in recent years.”


  • Security