Researchers are trialing methods to scale up the ability to roll out security fixes for vulnerable components across the open source ecosphere.
Tools such as CodeQL (GitHub’s code query language) enable scans for vulnerabilities across hundreds of thousands of open source software projects.
These utilities can be used to systematically identify basic security flaws – common bugs with relatively simple fixes – in projects hosted on GitHub and similar platforms.
Such low-lying bugs are legion and straightforward to find and fix, so the real difficulty for those seeking to bolster security comes from the difficulties involved in triaging, reporting, and fixing.
Rather than automating the creation of bug reports, which might easily put an extra burden on the maintainers of an open source project, security researcher Jonathan Leitschuh is helping to define and test a methodology to partially automate pull requests at scale.
During a recent series of talks first delivered at BSides Las Vegas and then during DEF CON last month, Leitschuh outlined a methodology for automating bulk pull request generation. The talk was entitled ‘Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All’.
The HUMAN factor
Leitschuh, the inaugural Dan Kaminsky Fellow at HUMAN Security, has carried out a research project that involved creating tools and techniques to industrialize the development of security fixes for open source software.
If widely used, the approach would mean that if a component used by multiple projects is found to be vulnerable, then protect maintainers would be promptly offered a pull request that patches the problem.
Leitschuh and his colleagues started off using Python scripts to make a number of pull requests to open source projects found vulnerable to the so-called ‘Zip Slip’ vulnerability.
More recently they have refined this methodology to make use of OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne).
In total, Leitschuh has used the technique described in his talk to create 590 automated pull requests targeting Zip Slip (a vulnerability in the JVM ecosystem) and two other vulnerabilities (partial path traversal and temporary directory hijacking). These bring his career total of pull requests to 5,200.
Leitschuh told The Daily Swig that feedback from project maintainers about receiving automated pull requests had been mixed.
“The feedback I’ve gotten has been mixed. Lots of appreciative maintainers, and a few maintainers [were] upset,” the researcher explained.
“The Jenkins team has outright asked me not to issue [pull requests] against their organization.”
‘Inspiring’ follow-up research
The automated pull request approach omits unit tests that software developers like to see to verify that suggested amendments to their code base avoid breaking any functionality. In addition, the automated approach means that disclosures are made openly – an issue for eligibility under some, but not all, bug bounty programs.
Despite these potential drawbacks, feedback from security researchers about the automated pull request approach has largely been positive, according to Leitschuh.
The researcher concluded: “Responses from other security researchers [have been] generally quite positive. The value proposition is very easy to see when the idea is presented. I’ve inspired a few people to take on this research themselves for their own work, too.”
