SlideShare a Scribd company logo

Testing curl for security

Daniel Stenberg
Daniel Stenberg

Daniel Stenberg's presentation done on June 30, 2020 about curl testing, CI, QA, fuzzing and more.

Software
1 of 39
Download to read offline
DanielStenberg-June30th 2020 for security! Testing
Daniel Stenberg @bagderhttps://daniel.haxx.se
Daniel Stenberg @bagder
… ten billion installations across the world curl runs in... @bagder@bagder
…… devices all of you heredevices all of you here today own and use!today own and use! curl runs in @bagder@bagder
Writing safe codeWriting safe code @bagder@bagder
Safe code is not a coincidence Doesn’t happen randomly, we need to work on it! We care about it! It is about time we all address this topic! Everything I’ll tell you today, you already know! @bagder@bagder
Writing Help users use the tool and APIs safelyHelp users use the tool and APIs safely Defaults!Defaults! Document. Everything, detailed and a lot.Document. Everything, detailed and a lot. Get rid of warningsGet rid of warnings UseUse commentscomments assert()assert() Releasing the code asReleasing the code as open sourceopen source @bagder@bagder
Review All codeAll code shallshall get reviewedget reviewed CodeCode shallshall be easy to readbe easy to read and understandand understand Use theUse the same code stylesame code style everywhereeverywhere Commit message template andCommit message template and qualityquality Make sure style and templates are followed!Make sure style and templates are followed! @bagder@bagder
Test! Unit tests System tests Integration tests Test the documentation Manual tests Fixed a bug? Add a test. Or two. @bagder@bagder
Torment Valgrind, address/UB/integer sanitizersValgrind, address/UB/integer sanitizers Static code analysersStatic code analysers FuzzersFuzzers @bagder@bagder
All that, all the time For every commit For every PR All. The. Time @bagder@bagder
curl CI 80+ builds and test “rounds” per commit Tests code style, indenting etc Thousands of tests per build Builds and tests on tens of platforms 20-25 hours of CI per commit @bagder@bagder
@bagder@bagder
@bagder@bagder
The curl project’s CI sponsors Parts of the CI system run of free tiers Teamviewer sponsors Appveyor powers Travis gives us more power Azure Pipelines gives us more power @bagder@bagder
@bagder@bagder
@bagder@bagder
Writing test cases should be easy A curl test case is a single file in a human readable well-documented format • conditions and features needed to run • what command (line) to run • what the test wants returned from a server • how the protocol exchange should look like • stdout and stderr contents • expected error code • … and more @bagder@bagder
Custom test servers We avoid using “real” servers for testing Test servers are as dumb as possible Controlled from the test case what it should send and expect Allows “crazy” behaviors and send/receive “anything” Makes the test servers smaller and simpler Helps with test suite portability TLS is done by stunnel-fronting Servers run on random port numbers @bagder@bagder
Tools of the trade Valgrind Clang address, undefined, signed- integer-overflow sanitizers Clang tidy “torture tests” Scan-build Lgtm Codacy CodeQL Monocle AI Deepcode AI Coverity Travis CI Appveyor Cirrus CI Github Actions Azure Pipelines Buildbots OSS-Fuzz CI-fuzz @bagder@bagder
Torture tests – error injection Build with a “debug” option Add wrapper functions for common “fallible” functions (that allocate and free resources) Each wrapper function logs what it does and can optionally return error. The complete individual test case is first run once count how many fallible functions rerun the test case that number of times and for each iteration make next fallible function return error Verify nothing crashed and no memory leaked Repeat for all tests @bagder@bagder
Source code policy Fix all warnings (eye roll)Fix all warnings (eye roll) No defects leftNo defects left Use the strictest and most picky optionsUse the strictest and most picky options As many tests as possibleAs many tests as possible Fix security issues as soon as possibleqFix security issues as soon as possibleq @bagder@bagder
A million build combos, 70+ OSes and 20 CPUs Testing all combinations is simply not possible Test the common setups Test on as many platforms as possible Test on several different CPU architectures “white spots” in test coverage handled by review Users keep finding untested areas and build combinations @bagder@bagder
The security of curl is the sum of all components combined. - Lean on the right set! @bagder@bagder
32 third party dependencies I/O layer libcurl URL parser libidn2winidn HTTPHTTPS OpenSSL Mesalink gskit mbedTLS wolfSSL Schannel SecureTransport GnuTLS NSS boringssl libressl AmiSSL SFTP SCP LDAP WinLDAP OpenLDAP RTMP librtmp Name resolver c-ares compression libz brotli cookies libpsl IMAP SMTP POP3 HTTP/2 nghttp2 authentication winsspi Heimdal MIT kerberos HTTP/3 quiche ngtcp2 HTTP/1 SSH wolfSSH libssh2 libssh @bagder@bagder BearSSL nghttp3
Fuzz Testing in wolfSSL ● Best Tested TLS due to our extensive internal testing process ● Fuzz testing in our internal testing process is one of the reasons why ● Fuzz testing bombards the program with invalid, unexpected, and random data that then allows for observing if there is potential memory leaks or logic errors   ● Allows us to catch bugs that could turn into potential vulnerabilities ● We only use highly respected external testers: ● Guido Vranken in Holland   ● Robert Horr of T-Systemsin Germany ● Internally, we test using several different software fuzzers such as: ● in-memory fuzzer ● a network fuzzer  ● OSS-fuzz  ● libfuzzer  ● tlsfuzzer  ● AFL ● To maximize security we run 7 fuzz testers internally every night on our latest code on over 20 platforms!   @bagder@bagder
The curl bug-bounty https://hackerone.com/curl Pays rewards using donated money Rewards up to 12,000 USD for a critical flaw Has paid 2,300 USD so far Increasing bounty amounts @bagder@bagder
@bagder@bagder
University researchers looking for a class of bugs Get involved! Corporate security researchers who’s companies consume curl Pen testers who want to find something big and widespread Security enthusiasts looking for a reward and “fame” @bagder@bagder
There’s one more thing curl has @bagder@bagder
Full-time curl maintainer @bagder@bagder
Bad things will happen We are not immune, no matter how hard we try! Act immediately Own the problem Fix it and announce it Learn from it Make it harder to do the same mistake again @bagder@bagder
But does it work? 10 billion installations is no proof ✔ Decreasing number of CVEs over time ✔ Decreasing number of OSS-Fuzz reports over time ✔ Increasing bounty rewards @bagder@bagder
Reported security vulnerabilities per year @bagder@bagder
CRTTA @bagder@bagder
Clean code Review Test Torment Act on mistakes @bagder@bagder
Daniel Stenberg @bagder https://daniel.haxx.se/ Thank you!Thank you! Questions?Questions? @bagder@bagder
License This presentation and its contents are licensed under the Creative Commons Attribution 4.0 license: http://creativecommons.org/licenses/by/4.0/ @bagder@bagder

Recommended

Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurlDaniel Stenberg
 
HTTP/3 in curl 2020
HTTP/3 in curl 2020HTTP/3 in curl 2020
HTTP/3 in curl 2020Daniel Stenberg
 
Landing code in curl
Landing code in curlLanding code in curl
Landing code in curlDaniel Stenberg
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curlDaniel Stenberg
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurlDaniel Stenberg
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPDaniel Stenberg
 
curl better
curl bettercurl better
curl betterDaniel Stenberg
 
curl roadmap 2020
curl roadmap 2020curl roadmap 2020
curl roadmap 2020Daniel Stenberg
 

Recommended

Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurlDaniel Stenberg
 
HTTP/3 in curl 2020
HTTP/3 in curl 2020HTTP/3 in curl 2020
HTTP/3 in curl 2020Daniel Stenberg
 
Landing code in curl
Landing code in curlLanding code in curl
Landing code in curlDaniel Stenberg
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curlDaniel Stenberg
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurlDaniel Stenberg
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPDaniel Stenberg
 
curl better
curl bettercurl better
curl betterDaniel Stenberg
 
curl roadmap 2020
curl roadmap 2020curl roadmap 2020
curl roadmap 2020Daniel Stenberg
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyoneDaniel Stenberg
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingDaniel Stenberg
 
The state of curl 2020
The state of curl 2020The state of curl 2020
The state of curl 2020Daniel Stenberg
 
curl - a hobby project that conquered the world
curl - a hobby project that conquered the worldcurl - a hobby project that conquered the world
curl - a hobby project that conquered the worldDaniel Stenberg
 
Curl with rust
Curl with rustCurl with rust
Curl with rustDaniel Stenberg
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curlDaniel Stenberg
 
Scapy talk
Scapy talkScapy talk
Scapy talkAshwin Patil, GCIH, GCIA, GCFE
 
Who Broke My Crypto
Who Broke My CryptoWho Broke My Crypto
Who Broke My CryptoJohn Varghese
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Ruby Security the Hard Way
Ruby Security the Hard WayRuby Security the Hard Way
Ruby Security the Hard WayHiroshi SHIBATA
 
マイクロサービスバックエンドAPIのためのRESTとgRPC
マイクロサービスバックエンドAPIのためのRESTとgRPCマイクロサービスバックエンドAPIのためのRESTとgRPC
マイクロサービスバックエンドAPIのためのRESTとgRPCdisc99_
 
Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parserfukamachi
 
Woo: Writing a fast web server @ ELS2015
Woo: Writing a fast web server @ ELS2015Woo: Writing a fast web server @ ELS2015
Woo: Writing a fast web server @ ELS2015fukamachi
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...PROIDEA
 
Chenli linux-kerne-community
Chenli linux-kerne-communityChenli linux-kerne-community
Chenli linux-kerne-community力 陈
 
Building GUI App with Electron and Lisp
Building GUI App with Electron and LispBuilding GUI App with Electron and Lisp
Building GUI App with Electron and Lispfukamachi
 
Cryptocurrency && Ruby
Cryptocurrency && RubyCryptocurrency && Ruby
Cryptocurrency && RubyDilum Navanjana
 
OSS Security the hard way
OSS Security the hard wayOSS Security the hard way
OSS Security the hard wayHiroshi SHIBATA
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 
curl security - curl up 2022
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022Daniel Stenberg
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesRavishankar Somasundaram
 

More Related Content

What's hot

HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingDaniel Stenberg
 
curl - a hobby project that conquered the world
curl - a hobby project that conquered the worldcurl - a hobby project that conquered the world
curl - a hobby project that conquered the worldDaniel Stenberg
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curlDaniel Stenberg
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Ruby Security the Hard Way
Ruby Security the Hard WayRuby Security the Hard Way
Ruby Security the Hard WayHiroshi SHIBATA
 
マイクロサービスバックエンドAPIのためのRESTとgRPC
マイクロサービスバックエンドAPIのためのRESTとgRPCマイクロサービスバックエンドAPIのためのRESTとgRPC
マイクロサービスバックエンドAPIのためのRESTとgRPCdisc99_
 
Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parserfukamachi
 
Woo: Writing a fast web server @ ELS2015
Woo: Writing a fast web server @ ELS2015Woo: Writing a fast web server @ ELS2015
Woo: Writing a fast web server @ ELS2015fukamachi
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...PROIDEA
 
Chenli linux-kerne-community
Chenli linux-kerne-communityChenli linux-kerne-community
Chenli linux-kerne-community力 陈
 
Building GUI App with Electron and Lisp
Building GUI App with Electron and LispBuilding GUI App with Electron and Lisp
Building GUI App with Electron and Lispfukamachi
 
OSS Security the hard way
OSS Security the hard wayOSS Security the hard way
OSS Security the hard wayHiroshi SHIBATA
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 

What's hot (20)

HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
 
The state of curl 2020
The state of curl 2020The state of curl 2020
The state of curl 2020
 
curl - a hobby project that conquered the world
curl - a hobby project that conquered the worldcurl - a hobby project that conquered the world
curl - a hobby project that conquered the world
 
Curl with rust
Curl with rustCurl with rust
Curl with rust
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curl
 
Scapy talk
Scapy talkScapy talk
Scapy talk
 
Who Broke My Crypto
Who Broke My CryptoWho Broke My Crypto
Who Broke My Crypto
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2
 
Ruby Security the Hard Way
Ruby Security the Hard WayRuby Security the Hard Way
Ruby Security the Hard Way
 
マイクロサービスバックエンドAPIのためのRESTとgRPC
マイクロサービスバックエンドAPIのためのRESTとgRPCマイクロサービスバックエンドAPIのためのRESTとgRPC
マイクロサービスバックエンドAPIのためのRESTとgRPC
 
Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parser
 
Woo: Writing a fast web server @ ELS2015
Woo: Writing a fast web server @ ELS2015Woo: Writing a fast web server @ ELS2015
Woo: Writing a fast web server @ ELS2015
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
 
Chenli linux-kerne-community
Chenli linux-kerne-communityChenli linux-kerne-community
Chenli linux-kerne-community
 
Building GUI App with Electron and Lisp
Building GUI App with Electron and LispBuilding GUI App with Electron and Lisp
Building GUI App with Electron and Lisp
 
Cryptocurrency && Ruby
Cryptocurrency && RubyCryptocurrency && Ruby
Cryptocurrency && Ruby
 
OSS Security the hard way
OSS Security the hard wayOSS Security the hard way
OSS Security the hard way
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckh
 

Similar to Testing curl for security

curl security - curl up 2022
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022Daniel Stenberg
 
mastering the curl command line.pdf
mastering the curl command line.pdfmastering the curl command line.pdf
mastering the curl command line.pdfDanielStenberg7
 
Coding for production
Coding for productionCoding for production
Coding for productionjehiah
 
Fedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkRainer Gerhards
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Codemotion
 
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Codemotion
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
TSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesTSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesMikal Villa
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 

Similar to Testing curl for security (20)

curl security - curl up 2022
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
mastering the curl command line.pdf
mastering the curl command line.pdfmastering the curl command line.pdf
mastering the curl command line.pdf
 
Coding for production
Coding for productionCoding for production
Coding for production
 
Fedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 Talk
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
 
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
TSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesTSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniques
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 

More from Daniel Stenberg

mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2Daniel Stenberg
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1Daniel Stenberg
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdfDaniel Stenberg
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022Daniel Stenberg
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022Daniel Stenberg
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
 
Http3 fullstackfest-2019
Http3 fullstackfest-2019Http3 fullstackfest-2019
Http3 fullstackfest-2019Daniel Stenberg
 
Writing safe and secure code
Writing safe and secure codeWriting safe and secure code
Writing safe and secure codeDaniel Stenberg
 
Säker kod (secure code)
Säker kod (secure code)Säker kod (secure code)
Säker kod (secure code)Daniel Stenberg
 
You know what's cool? Running on a billion devices
You know what's cool? Running on a billion devicesYou know what's cool? Running on a billion devices
You know what's cool? Running on a billion devicesDaniel Stenberg
 

More from Daniel Stenberg (15)

mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdf
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022
 
The state of curl 2022
The state of curl 2022The state of curl 2022
The state of curl 2022
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
 
Just curl it!
Just curl it!Just curl it!
Just curl it!
 
Http3 fullstackfest-2019
Http3 fullstackfest-2019Http3 fullstackfest-2019
Http3 fullstackfest-2019
 
Writing safe and secure code
Writing safe and secure codeWriting safe and secure code
Writing safe and secure code
 
The state of curl 2019
The state of curl 2019The state of curl 2019
The state of curl 2019
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
 
Säker kod (secure code)
Säker kod (secure code)Säker kod (secure code)
Säker kod (secure code)
 
HTTP/3
HTTP/3HTTP/3
HTTP/3
 
You know what's cool? Running on a billion devices
You know what's cool? Running on a billion devicesYou know what's cool? Running on a billion devices
You know what's cool? Running on a billion devices
 

Recently uploaded

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456KiaraTiradoMicha
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxalwaysnagaraju26
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 

Recently uploaded (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 

Testing curl for security

  • 4. … ten billion installations across the world curl runs in... @bagder@bagder
  • 5. …… devices all of you heredevices all of you here today own and use!today own and use! curl runs in @bagder@bagder
  • 6. Writing safe codeWriting safe code @bagder@bagder
  • 7. Safe code is not a coincidence Doesn’t happen randomly, we need to work on it! We care about it! It is about time we all address this topic! Everything I’ll tell you today, you already know! @bagder@bagder
  • 8. Writing Help users use the tool and APIs safelyHelp users use the tool and APIs safely Defaults!Defaults! Document. Everything, detailed and a lot.Document. Everything, detailed and a lot. Get rid of warningsGet rid of warnings UseUse commentscomments assert()assert() Releasing the code asReleasing the code as open sourceopen source @bagder@bagder
  • 9. Review All codeAll code shallshall get reviewedget reviewed CodeCode shallshall be easy to readbe easy to read and understandand understand Use theUse the same code stylesame code style everywhereeverywhere Commit message template andCommit message template and qualityquality Make sure style and templates are followed!Make sure style and templates are followed! @bagder@bagder
  • 10. Test! Unit tests System tests Integration tests Test the documentation Manual tests Fixed a bug? Add a test. Or two. @bagder@bagder
  • 11. Torment Valgrind, address/UB/integer sanitizersValgrind, address/UB/integer sanitizers Static code analysersStatic code analysers FuzzersFuzzers @bagder@bagder
  • 12. All that, all the time For every commit For every PR All. The. Time @bagder@bagder
  • 13. curl CI 80+ builds and test “rounds” per commit Tests code style, indenting etc Thousands of tests per build Builds and tests on tens of platforms 20-25 hours of CI per commit @bagder@bagder
  • 16. The curl project’s CI sponsors Parts of the CI system run of free tiers Teamviewer sponsors Appveyor powers Travis gives us more power Azure Pipelines gives us more power @bagder@bagder
  • 19. Writing test cases should be easy A curl test case is a single file in a human readable well-documented format • conditions and features needed to run • what command (line) to run • what the test wants returned from a server • how the protocol exchange should look like • stdout and stderr contents • expected error code • … and more @bagder@bagder
  • 20. Custom test servers We avoid using “real” servers for testing Test servers are as dumb as possible Controlled from the test case what it should send and expect Allows “crazy” behaviors and send/receive “anything” Makes the test servers smaller and simpler Helps with test suite portability TLS is done by stunnel-fronting Servers run on random port numbers @bagder@bagder
  • 21. Tools of the trade Valgrind Clang address, undefined, signed- integer-overflow sanitizers Clang tidy “torture tests” Scan-build Lgtm Codacy CodeQL Monocle AI Deepcode AI Coverity Travis CI Appveyor Cirrus CI Github Actions Azure Pipelines Buildbots OSS-Fuzz CI-fuzz @bagder@bagder
  • 22. Torture tests – error injection Build with a “debug” option Add wrapper functions for common “fallible” functions (that allocate and free resources) Each wrapper function logs what it does and can optionally return error. The complete individual test case is first run once count how many fallible functions rerun the test case that number of times and for each iteration make next fallible function return error Verify nothing crashed and no memory leaked Repeat for all tests @bagder@bagder
  • 23. Source code policy Fix all warnings (eye roll)Fix all warnings (eye roll) No defects leftNo defects left Use the strictest and most picky optionsUse the strictest and most picky options As many tests as possibleAs many tests as possible Fix security issues as soon as possibleqFix security issues as soon as possibleq @bagder@bagder
  • 24. A million build combos, 70+ OSes and 20 CPUs Testing all combinations is simply not possible Test the common setups Test on as many platforms as possible Test on several different CPU architectures “white spots” in test coverage handled by review Users keep finding untested areas and build combinations @bagder@bagder
  • 25. The security of curl is the sum of all components combined. - Lean on the right set! @bagder@bagder
  • 26. 32 third party dependencies I/O layer libcurl URL parser libidn2winidn HTTPHTTPS OpenSSL Mesalink gskit mbedTLS wolfSSL Schannel SecureTransport GnuTLS NSS boringssl libressl AmiSSL SFTP SCP LDAP WinLDAP OpenLDAP RTMP librtmp Name resolver c-ares compression libz brotli cookies libpsl IMAP SMTP POP3 HTTP/2 nghttp2 authentication winsspi Heimdal MIT kerberos HTTP/3 quiche ngtcp2 HTTP/1 SSH wolfSSH libssh2 libssh @bagder@bagder BearSSL nghttp3
  • 27. Fuzz Testing in wolfSSL ● Best Tested TLS due to our extensive internal testing process ● Fuzz testing in our internal testing process is one of the reasons why ● Fuzz testing bombards the program with invalid, unexpected, and random data that then allows for observing if there is potential memory leaks or logic errors   ● Allows us to catch bugs that could turn into potential vulnerabilities ● We only use highly respected external testers: ● Guido Vranken in Holland   ● Robert Horr of T-Systemsin Germany ● Internally, we test using several different software fuzzers such as: ● in-memory fuzzer ● a network fuzzer  ● OSS-fuzz  ● libfuzzer  ● tlsfuzzer  ● AFL ● To maximize security we run 7 fuzz testers internally every night on our latest code on over 20 platforms!   @bagder@bagder
  • 28. The curl bug-bounty https://hackerone.com/curl Pays rewards using donated money Rewards up to 12,000 USD for a critical flaw Has paid 2,300 USD so far Increasing bounty amounts @bagder@bagder
  • 30. University researchers looking for a class of bugs Get involved! Corporate security researchers who’s companies consume curl Pen testers who want to find something big and widespread Security enthusiasts looking for a reward and “fame” @bagder@bagder
  • 31. There’s one more thing curl has @bagder@bagder
  • 33. Bad things will happen We are not immune, no matter how hard we try! Act immediately Own the problem Fix it and announce it Learn from it Make it harder to do the same mistake again @bagder@bagder
  • 34. But does it work? 10 billion installations is no proof ✔ Decreasing number of CVEs over time ✔ Decreasing number of OSS-Fuzz reports over time ✔ Increasing bounty rewards @bagder@bagder
  • 35. Reported security vulnerabilities per year @bagder@bagder
  • 37. Clean code Review Test Torment Act on mistakes @bagder@bagder
  • 38. Daniel Stenberg @bagder https://daniel.haxx.se/ Thank you!Thank you! Questions?Questions? @bagder@bagder
  • 39. License This presentation and its contents are licensed under the Creative Commons Attribution 4.0 license: http://creativecommons.org/licenses/by/4.0/ @bagder@bagder