Linux Foundation Funds Internet Security Advances

7 Data Center Disasters You'll Never See Coming

The Core Infrastructure Initiative, which the Linux Foundation uses to shore up key pieces of Internet open source code, is funding three new projects. The additions are all security oriented and will receive a total of $500,000, the foundation said Monday.

No reference was made in Monday's announcement, however, to previously funded projects. Harlan Stenn, chief maintainer of the Network Time Protocol reported that his colleague, Poul-Henning Kamp in Denmark, will continue receiving $3,000 a month for his work on advancing the protocol.

Stenn himself has not come to terms with the foundation's requirements on continued support. He's received a one-month extension and an additional $7,000 that he collected from the initiative for each of the preceding 12 months. Stenn said he and the foundation are slated to have further talks, but he has been working toward an NTP release deadline that occurs this month, along with myriad issues that have arisen over the addition of a leap second on June 30.

"They're asking for a phone meeting, and I had to again tell them I was just totally overbooked until after the leap second and probably for several days' time into July," Stenn responded in an email message to an InformationWeek query on his financial standing.

"I've been working 16-18 hour days, seven days a week since the beginning of the month because of the leap second issue, and I did another all-nighter last night to get ntp-4.2.8p3-RC2 out the door," Stenn wrote in his email. "I'm hoping we can release 4.2.8p3 in about 36 hours' time." With those deadlines out of the way, he said he'll turn to implementing the leap second June 30, and afterward arrange a meeting with Linux Foundation representatives.

[ Want to learn more about the difficulty of finding financing for NTP? See 'Father Time' Still Negotiating The Future. ]

Stenn is NTP's chief maintainer, as we reported in NTP's Fate Hinges On 'Father Time.' NTP founder David Mills retired several years ago from the University of Delaware and, as he lost his eye sight, from the NTP project. Stenn in turn gave up private consulting work to become its full time maintainer. He gets help on advanced features from Kamp and other contributors.

The projects selected for support by the Core Infrastructure Initiative were:

Reproducible Builds is aimed at Linux distributions, such as Debian and Fedora, where anyone's build procedure yields an identical result to other users, when the source code comes from a given source. The process enables anyone doing a build process "to independently verify that a binary matches the source code from which it was said it was derived," according to a statement from the Linux Foundation. Without Reproducible Builds, it is "much harder to detect if binaries have been tampered with," the Linux Foundation statement said.

Debian developers Holger Levsen and Jérémy Bobbio guide the effort to eliminate unneeded variations from the build processes of thousands of free software projects, as well as provide tools to understand the source of these differences..

The Fuzzing Project was created by IT security researcher Hanno Bock. "Fuzzing" amounts to generating a large number of randomly malformed inputs to a piece of open source code to see what happens. "If the program crashes, then something is likely wrong," states the project's Web site. Fuzzing makes it surprisingly easy to find bugs, say its advocates, and those bugs often have security implications. They can include heap overflows, stack overflows, use after free bugs, and many others.

The fuzzing process was used by Bock to discover vulnerabilities in well-known software, including those in Gnu Privacy Guard and OpenSSL. Böck will receive $60,000 from CII to continue his work.

The False-Positive-Free Testing project was started by Pascal Cuoq, chief scientist and co-founder of TrustInSoft. His company uses the Frama-C source code analysis platform to guarantee software has no flaws. He'll receive a CII grant to build an open source TIS Interpreter based on TIS Analyzer, a commercial software analysis tool. The TIS Analyzer has not enjoyed widespread adoption because it occasionally produces false positives: It can report security errors that are actually false alarms. 

The project supports a new version of TIS Analyzer, called TIS Interpreter, with a methodology that detects bugs with no false positives. Any bug that is reported actually needs to be fixed. TIS Interpreter is expected to be released as open source in early 2016. CII is investing $192,000 in the project.

Helping select such projects is Emily Ratliff, who has joined The Linux Foundation's initiative as senior director of infrastructure security. Ratliff is a Linux, system and cloud security expert. Most recently she worked as a security engineer for AMD and previously worked 15 years at IBM.

The Core Infrastructure Initiative, launched in May 2014 after the Heartbleed incidient, is supported by donations from Google, IBM, Amazon Web Services, VMware, Salesforce, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Hitachi, HP, Huawei, Intel, Microsoft, NetApp, NEC, Qualcomm and RackSpace.