A team of security consultants is set to undertake a major independent audit of OpenSSL as part of a multi-million dollar initiative by the Linux Foundation to improve the security and stability of core open source projects.
Cryptography Services – which comprises experts from NCC Group, iSEC Partners, Matasano, and Intrepidus Group – announced the review of “one of the most widely deployed pieces of software in the world” on Monday.
“This audit had been mentioned before, absent details, but with the effort OpenSSL has been making we finally feel the code base is stable enough to announce and undertake this now,” it added in a GitHub note.
“OpenSSL has been reviewed and improved by the academic community, commercial static analyzer companies, validation organizations, and individual review over the years – but this audit may be the largest effort to review it, and is definitely the most public. Serious flaws in OpenSSL cause the whole internet to upgrade, and in the case of flaws like Heartbleed and EarlyCCS, upgrade in a rush.”
The audit itself is being organized by the same Open Crypto Audit Project which reviewed the TrueCrypt encryption software, while funding comes from the Linux Foundation’s Core Infrastructure Initiative.
It will focus primarily on the TLS stacks – that is, protocol flow, state transitions, and memory management – as well as BIOs, “most of the high-profile cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers.”
Initial results will begin to trickle down around summer time, according to Cryptography Services.
The audit follows an OpenSSL code reformat earlier this year designed to make the source code “easier to work with in the future,” according to engineer Matt Caswell.
“The historic OpenSSL coding style was very unusual and idiosyncratic. Not only that, but it was inconsistently applied and was not formally defined anywhere,” he explained in a blog post last month.
“This made reading the code and maintaining it more difficult than it needed to be. As part of our roadmap document we decided to change that.”
Tom Ritter, principal security engineer at NCC Group, told Infosecurity his team had been liaising with the Open Crypto Audit Project and the OpenSSL team to figure out what timing made the most sense for the audit.
“OpenSSL has been working over the past year to perform maintenance of the code, resolve outstanding issues, and make some organizational decisions around releases and code formatting. A lot of those efforts have dovetailed together recently, so now makes good sense to announce and officially plan out the audit,” he added.
“As far as what we expect to find, I think we’ll all find out together.”
OpenSSL is the near-ubiquitous open source implementation of the SSL and TLS protocols.
Its reputation took a major hit last April when researchers discovered the major Heartbleed flaw, which affected around 17% of the world’s trusted web servers.