Open Source Security

Wednesday, September 11, 2013

Free and open source software is a crucial part of the security infrastructure of the internet. As a Googler working on security issues, especially those involving open source software, I want to describe some of the open source security projects Google is involved with. This list is far from comprehensive, but comprises some of the projects I have personally had a hand in.


Google employs two members of the OpenSSL team, myself and Bodo Möller. As well as helping to address security issues as they arise (sometimes discovered by other Googlers) we’ve also been helping with work to improve OpenSSL’s capabilities, for example implementing application-defined TLS extensions, adding support for ALPN ( and adding a framework for Authenticated Encryption with Additional Data (AEAD) (work in progress).


Over the last decade or so, it has become increasingly (and painfully) apparent that ACLs and MAC, which were originally designed to protect expensive mainframes from their users, and the users from each other, are failing to secure modern cheap machines with single users who need protecting from the software they run.

Instead, we need fine-grained access control and strong sandboxing.

My Cambridge colleague, Dr. Robert Watson says:
In August 2010, the University of Cambridge and Google published the Capsicum security model at the USENIX Security Symposium. Initially funded by a Google Faculty Research Award, Capsicum combines security ideas from historic research capability systems with contemporary operating-system design to allow robust, fine-grained, flexible, and application-centred sandboxing. Since 2012, Google Open Source Programs Office and the FreeBSD Foundation have been jointly funding continuing open source development to transition Capsicum from research to practice; Google also has summer students working on Capsicum through Google Summer of Code under the FreeBSD organization. 
The project has been led by FreeBSD developer Pawel Dawidek, who has refined the Capsicum model as our experience has grown, updating existing privilege-separated applications to use Capsicum (e.g., OpenSSH and dhclient). Pawel has also adapted new applications to use Capsicum compartmentalisation "out-of-the-box", including system tools services (e.g., tcpdump, kdump,the high-availability storage daemon [hastd], the security audit-trail distribution daemon [auditdistd]), and UNIX pipeline components (e.g., grep, uniq). The goal is to move gradually towards ubiquitous sandboxing: since it is cheap (and often easy), explore what happens when you try to do it everywhere, mitigating as-yet unknown future vulnerabilities. 
A key contribution of this work is the Casper application framework. Casper manages the creation of sandboxes, launching them on demand with only the rights they require to operate (Saltzer and Schroeder's 1975 Principle of Least Privilege). Existing applications can be linked against Casper to make use of a growing suite of Casper components, including sandboxed DNS resolution, delegation of file-system subsets, cryptographic random number generation, network services (such as sockets), system monitoring interfaces (via sysctl), and system databases such as the user and password files. 
Pawel's current work is due to wrap up later in 2013. FreeBSD 10.0 will ship with Capsicum enabled by default and a suite of sandboxed applications.

Certificate Transparency

A key concern has been the repeated failures of Certificate Authorities (CAs) to properly defend their operations and correctly issue certificates, most recently exemplified by the DigiNotar incident, which not only compromised the security of hundreds of thousands of internet users, but also led to the company’s bankruptcy.

We’ve been working hard on a new idea in that area, Certificate Transparency - essentially a verifiably correct log of all issued certificates that can be used to quickly detect any missteps on the part of CAs. And, of course, we are hard at work on an open source implementation, with clients in C++, Java and Python, and a C++ server.


Tor (originally short for The Onion Router), is a free software for enabling online anonymity. Widely recognized as a key component in online privacy, Foreign Policy Magazine named its primary authors among its 2012 Top 100 Global Thinkers “for making the web safe for whistleblowers.” Originally released in 2002 by the US Naval Research Laboratory, Tor development is now supported by a broad range of governments, organizations and individuals. Google is proud to have had the Tor Foundation as a Google Summer of Code mentoring organization since 2007, providing the project with both funding and potential new contributors.


If you’ve ever “chatted” online chances are very good that you’ve used libpurple. Libpurple is the core of various instant messaging applications, notably Pidgin and Adium. Through a donation to Instant Messaging Freedom, Inc. we have sponsored a developer working on improving its security.

By Ben Laurie, Security Engineering