The Linux Foundation to Deliver Funds to Fight Security Woes

The Linux Foundation is throwing some serious funding at online security challenges. Its Core Infrastructure Initiative (CII) has announced financial support of nearly $500,000 for three new projects to better support critical security elements of today’s global information infrastructure. Established in 2014 in response to the Heartbleed vulnerability, more than 20 companies founded CII to fortify the security of key open source projects. Here are the projects that will benefit from the funding.

 Specifically, CII’s funds will support a new open source automated testing project, the Reproducible Builds initiative from Debian, and IT security researcher Hanno Böck’s Fuzzing Project.

Here is what these projects are all about:

Reproducible Builds - For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by unknown attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.  CII’s $200,000 grant will advance work on these goals.

The Fuzzing Project - The fuzzing software testing technique is a powerful mechanism to identify security problems in software or computer systems. Security researcher Hanno Böck spearheads The Fuzzing Project, coordinating fuzzing efforts for open source software. Many vulnerabilities in well-known software, including several GnuPG and OpenSSL bugs reported lately, were found by Böck's effort. He will receive $60,000 from CII to continue his work finding and reporting fuzzer-related issues in open source software. He works on improving and documenting the tools and methods to automatically find large quantities of bugs in software.

False-Positive-Free Testing - Pascal Cuoq, chief scientist and co-founder of TrustInSoft, a company that uses the Frama-C platform to guarantee software has no flaws, will receive a grant to build an open source TIS Interpreter, including all the extensions necessary to support the false-positive-free operation on OpenSSL. This work is based on TIS Analyzer, a commercial software analysis tool based on Frama-C, the extensible open-source framework for source code analysis. One issue impairing TIS Analyzer's widespread adoption is that it occasionally produces false positives: it can report security errors that are actually false alarms. Cuoq's new project supports a new flavor of TIS Analyzer named “TIS Interpreter” and a methodology that detects bugs with no false positives. 

“While each project we’re announcing funding for today is quite different, each is critical to our global computing infrastructure and cybersecurity,” said Jim Zemlin, Executive Director of The Linux Foundation.