This article is reproduced from InfoQ
Recently, the Google Blog released an announcement stating that it will provide funds for developers to refactor various core open source software together.
Open source projects are the foundation of all modern digital infrastructures, and their importance is self-evident. Google believes that memory security vulnerabilities are actual threats that plague countless systems. A recent study found that about 70% of the vulnerabilities resolved through security updates each year are memory security issues. Another analysis on the security issues of the curl command-line tool showed that the use of memory-safe languages can completely solve 53 of all 95 bugs. Using the curl transformation project as a template, Google hopes to refactor more core open source software written in other languages.
In fact, software written in unsafe languages often contains bugs that are difficult to detect, which is very likely to cause serious subsequent security risks. To this end, Google has expanded its cooperative relationship with the Internet Security Research Group (ISRG), hoping to jointly use memory security language to reconstruct various core open source software.
In December last year, Google launched a project called "Criticality Score" with the purpose of generating a key score for each open source project to evaluate the importance of existing open source projects. Evaluation indicators include the age of the project, the number of individual contributors and organizations, user participation, and project dependency. Google said that identifying these key projects is the first step in improving the security of open source projects, and Google’s OpenSSF organization will provide some resources for maintainers of these projects.
This year's restructuring plan, Google more directly said that it will provide funds to everyone to promote the transformation of other core open source projects. However, who made the transformation and whether it must be the original maintainer, Google did not clearly state. Some netizens questioned whether the refactoring is done by people outside the original open source project, then whether the funds are provided to these new developers (it looks like new job opportunities).
In this regard, the executive director of ISRG explained: “We plan to migrate open source software to memory-safe languages, and ISRG acts as an intermediary to coordinate funds. We select projects and make plans with open source maintainers/developers, and we will raise funds for them. Funding. Once someone (such as Google) provides funding for the project, ISRG signs a work contract with the project developer/maintainer. In some cases, open source maintainers may participate, but we hope to find a contractor to complete the actual jobs."
And he again mentioned two previous improvement projects. Among them, for the improvement of curl, ISRG directly funded the author of curl; for the improvement of httpd, Google (through ISRG) funded the httpd submitter. ISRG executive directors predict that in most cases in the future, these funds will mainly flow to project maintainers/developers.
However, Google's spending to promote the rewriting of open source software has also been questioned by some netizens as "hijacking open source projects in the name of security." The original open source project maintainer was a third party unrelated to Google and ISRG, while the transformation project was carried out by developers whom Google chose to trust. And in the end, users have to choose between Google's modified version and the original version. If the modification project is more successful, then it is morally equivalent to stealing the original author's work.
Google vigorously promotes Rust
Google believes that this is a good time to use memory-safe programming languages to prevent such bugs. Prior to this, they also achieved some results:
So far, our free OSS-Fuzz service has discovered 5,500 vulnerabilities caused by memory security errors in 375 open source projects. We have also organized a corresponding bug bounty program, hoping to encourage more people to use this fuzzing service through financial rewards. We have also released projects such as Syzkaller to detect bugs in the operating system kernel, and use sandboxes such as gVisor to mitigate the actual impact during bug detection.
As an important starting point for related work, curl-oriented HTTP and TLS backends are undergoing Rust language transformation, and Apache httpd is about to usher in a new TLS library. As an important gateway to the Internet, the security level of these code bases will directly determine the data security of millions of users around the world.
At present, Rust is generally regarded as a system programming language that focuses on memory safety, while combining low-level control over performance with modern language features. Therefore, Google has always hoped to be able to expand the application of Rust in Google, and has begun to use Rust in settings that require high memory safety and performance, including its use in key Android systems.
Currently, Google is using Rust or projects that contribute to the Rust ecosystem include:
-
Operating system modules in Android, including Bluetooth and Keystore 2.0
-
Low-level items, such as the crosvm virtual machine monitor and driver used in ChromeOS (an alternative to QEMU)
-
Contributions to open source projects that use Rust, such as the Mercurial source code control system
-
FIDO security key support for firmware
In addition, there are many other projects that are evaluating the use of Rust in new libraries or products. Some examples include: software internationalization project, ICU4X part of the new experimental operating system FuchsiaGPU font rendering research
It also includes the Rust project and its maintainers supported by Google:
-
Add Rust code in curl
-
Work with ISRG to add the Rust TLS module to the Apache HTTP server project
In the promotion of Rust, Google spared no effort, and on February 8 this year, together with AWS, Huawei, Microsoft and Mozilla five companies, announced the establishment of the Rust Foundation, and promised to invest 1 million US dollars in a two-year budget. , Used for the development, maintenance and promotion of the Rust project, dedicated to providing support to maintainers who manage and develop the project.
Google said, "Based on Google's long-term investment in C/C++, compilers and toolchains, we are very happy to be a member of the Rust Foundation. We look forward to participating more in the Rust community, especially on key issues throughout the industry. Make more efforts, including interoperability with C++, coordinate security reviews and reduce the cost of crate updates, and continue to increase our investment in existing Rust projects."
In any case, Google provides funds to allow developers to rewrite open source software in memory-safe languages to improve the overall security of the Internet, which does not seem to be a bad thing.