Conference Talks – February/March 2021

Throughout February and March, members of NCC Group will be presenting their work at the following conferences:

Jennifer Fernick (NCC Group), Rao Lakkakula (JPMorgan Chase), Christopher Robinson (Red Hat), & Kay Williams (Microsoft), “Frontiers in Securing the Open Source Ecosystem,” to be presented at FOSS Backstage (Virtual – February 10-12 2021)
Robert Seacord (NCC Group) & Jens Gustedt (Inria), “C language mechanism for error handling and deferred cleanup,” to be presented at ACM/SIGAPP Symposium on Applied Computing (Virtual – March 22-26 2021)

Please join us!

Frontiers in Securing the Open Source Ecosystem
Jennifer Fernick (NCC Group), Rao Lakkakula (JPMorgan Chase), Christopher Robinson (Red Hat), & Kay Williams (Microsoft)
Conference – Virtual
February 10-12 2021

Open source software provides a tremendous public good – but proportional to its’ social and technical importance, the open source ecosystem also presents an enticing attack surface for adversaries. The combination of deobfuscated and public-facing source code, distributed community-driven development, a lack of consistently-deployed security reviews and tooling, and the prominence of many key FOSS projects as the core infrastructure of enterprises around the world and of the internet itself means that the unique model that has made open source software projects and development lifecycles so impactful is also that which has historically made them difficult to secure. In this presentation, we discuss the present challenges and opportunities for securing open source projects, and discuss a roadmap to a future where we can all help to secure open source software at massive scale.

We will explore challenges and opportunities in securing the open source software ecosystem against a range of threat actors through a variety of interventions at all phases of the software development lifecycle. Part 1 of this presentation will give a brief overview of the mission, priorities, and current work within the Open Source Security Foundation (openssf.org), including an end-to-end threat model of the open source ecosystem. Part 2, which will comprise the majority of the presentation, will be a panel discussion amongst open source maintainers, tool developers, and security researchers regarding some of the most pressing issues in the security of open source software.

This paper introduces the implementation of a C language mechanism for error handling and deferred cleanup adapted from similar features in the Go programming language. This mechanism improves the proximity, visibility, maintainability, robustness, and security of cleanup and error handling over existing language features. This feature is under consideration for inclusion in the C Standard. The library implementation of the features described by this paper is publicly available under an Open Source License at https://gustedt.gitlabpages.inria.fr/defer/.

Published January 31, 2021January 27, 2021