Linux Foundation Funds Internet Security Advances - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
09:36 AM
Connect Directly

Linux Foundation Funds Internet Security Advances

The Linux Foundation's Core Infrastructure Initiative has selected three security-oriented projects to receive a total of $500,000 in funding.

7 Data Center Disasters You'll Never See Coming
7 Data Center Disasters You'll Never See Coming
(Click image for larger view and slideshow.)

The Core Infrastructure Initiative, which the Linux Foundation uses to shore up key pieces of Internet open source code, is funding three new projects. The additions are all security oriented and will receive a total of $500,000, the foundation said Monday.

No reference was made in Monday's announcement, however, to previously funded projects. Harlan Stenn, chief maintainer of the Network Time Protocol reported that his colleague, Poul-Henning Kamp in Denmark, will continue receiving $3,000 a month for his work on advancing the protocol.

Stenn himself has not come to terms with the foundation's requirements on continued support. He's received a one-month extension and an additional $7,000 that he collected from the initiative for each of the preceding 12 months. Stenn said he and the foundation are slated to have further talks, but he has been working toward an NTP release deadline that occurs this month, along with myriad issues that have arisen over the addition of a leap second on June 30.

"They're asking for a phone meeting, and I had to again tell them I was just totally overbooked until after the leap second and probably for several days' time into July," Stenn responded in an email message to an InformationWeek query on his financial standing.

"I've been working 16-18 hour days, seven days a week since the beginning of the month because of the leap second issue, and I did another all-nighter last night to get ntp-4.2.8p3-RC2 out the door," Stenn wrote in his email. "I'm hoping we can release 4.2.8p3 in about 36 hours' time." With those deadlines out of the way, he said he'll turn to implementing the leap second June 30, and afterward arrange a meeting with Linux Foundation representatives.

[ Want to learn more about the difficulty of finding financing for NTP? See 'Father Time' Still Negotiating The Future. ]

Stenn is NTP's chief maintainer, as we reported in NTP's Fate Hinges On 'Father Time.' NTP founder David Mills retired several years ago from the University of Delaware and, as he lost his eye sight, from the NTP project. Stenn in turn gave up private consulting work to become its full time maintainer. He gets help on advanced features from Kamp and other contributors.

The projects selected for support by the Core Infrastructure Initiative were:

  • Reproducible Builds from the Debian Linux project;
  • Hanno Bock's The Fuzzing Project; and
  • The False-Positive-Free-Testing Project.

Reproducible Builds is aimed at Linux distributions, such as Debian and Fedora, where anyone's build procedure yields an identical result to other users, when the source code comes from a given source. The process enables anyone doing a build process "to independently verify that a binary matches the source code from which it was said it was derived," according to a statement from the Linux Foundation. Without Reproducible Builds, it is "much harder to detect if binaries have been tampered with," the Linux Foundation statement said.

Debian developers Holger Levsen and Jérémy Bobbio guide the effort to eliminate unneeded variations from the build processes of thousands of free software projects, as well as provide tools to understand the source of these differences..

The Fuzzing Project was created by IT security researcher Hanno Bock. "Fuzzing" amounts to generating a large number of randomly malformed inputs to a piece of open source code to see what happens. "If the program crashes, then something is likely wrong," states the project's Web site. Fuzzing makes it surprisingly easy to find bugs, say its advocates, and those bugs often have security implications. They can include heap overflows, stack overflows, use after free bugs, and many others.

The fuzzing process was used by Bock to discover vulnerabilities in well-known software, including those in Gnu Privacy Guard and OpenSSL. Böck will receive $60,000 from CII to continue his work.

The False-Positive-Free Testing project was started by Pascal Cuoq, chief scientist and co-founder of TrustInSoft. His company uses the Frama-C source code analysis platform to guarantee software has no flaws. He'll receive a CII grant to build an open source TIS Interpreter based on TIS Analyzer, a commercial software analysis tool. The TIS Analyzer has not enjoyed widespread adoption because it occasionally produces false positives: It can report security errors that are actually false alarms. 

The project supports a new version of TIS Analyzer, called TIS Interpreter, with a methodology that detects bugs with no false positives. Any bug that is reported actually needs to be fixed. TIS Interpreter is expected to be released as open source in early 2016. CII is investing $192,000 in the project.

Helping select such projects is Emily Ratliff, who has joined The Linux Foundation's initiative as senior director of infrastructure security. Ratliff is a Linux, system and cloud security expert. Most recently she worked as a security engineer for AMD and previously worked 15 years at IBM.

The Core Infrastructure Initiative, launched in May 2014 after the Heartbleed incidient, is supported by donations from Google, IBM, Amazon Web Services, VMware, Salesforce, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Hitachi, HP, Huawei, Intel, Microsoft, NetApp, NEC, Qualcomm and RackSpace.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/29/2015 | 6:20:49 PM
Linux Foundation Does Great Things
Any endeavor that advances open source/Linux is worth the time, effort and money involved.  Open Source is the future and any industry that ignores it is bound to see reduced profits.
User Rank: Ninja
6/25/2015 | 2:22:30 PM
More advancements in security from the folks who know it!
As much as some folks dissuade the idea of bug-hunting or community-led approaches to security, I personally think this is a great move for helping to promote Linux as a stronger contender when it comes to security.  The open-sourced nature of Linux and its applications and environments, while beneficial for many developer environments especially, need some security love and I am thrilled to see more formal backing to help not just create more awareness but put a program in place to help drive more education and solutions to close those security gaps.
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll