Development / Networking / Security

Prossimo: Making the Internet Memory Safe

2 Nov 2021 3:00am, by

The Internet Security Research Group (ISRG) is best known for its Let’s Encrypt certificate authority, but it has also turned its hand to fixing memory problems. It sponsors, via Google, so Miguel Ojeda, a Linux kernel developer to work full time on Rust in Linux in no small part to fix its built-in C memory problems. And, it also has a whole department, Prossimo, devoted just to memory-safe programming. Its other projects are a memory-safe TLS module for the Apache web server, a memory-safe curl data transfer utility and memory-safe Rustls, a safer OpenSSL alternative. Let’s look at these projects.

First, ISRG is doing this, as you know if you’ve done much Internet programming or network administration work, because memory problems plague many of the internet’s fundamental programs. Often these security holes spring from C and C++ code memory safety issues. Therefore, ISRG wants to move these programs to memory-safe code.

Memory-safe programs are written in languages that avoid the usual out-of-bounds reads and writes and use after free problems. C, C++, and Assembly, for all their speed, make it all too easy to make these kinds of mistakes. Languages such as Rust, Go, and C#, however, are close to memory error-proof.

So how bad is this problem really? A 2019 analysis of zero days being exploited in the wild found that over 80% of the exploited vulnerabilities were memory safety issues. Microsoft estimates that 70% of all vulnerabilities in their products over the past decade have been memory safety issues. And Google estimated that 90% of Android vulnerabilities are memory safety issues. So, yeah, it’s bad.

You can reduce the risk in the popular unsafe languages with techniques such as fuzzing and static analysis, but that’s a lot of work, and they don’t find all the possible memory holes. Prossimo’s answer is to replace our existing network programs with ones written in memory-safe languages that will eliminate this entire class of issues.

That won’t be easy. There’s a lot of internet C and C++ code out there. But, as it points out, “the internet will be around for a long time. There is time for ambitious efforts to pay off. By being smart about our initial investments, focusing on the most critical components, we can start seeing significant returns within 1-2 years.”

Of course, the tens of millions of lines of C code in Linux won’t be changed over to Rust in our lifetimes, if ever. But, Linus Torvalds, Linux’s creator, can see Rust playing a large role in drivers and other semi-independent Linux programs.

Much more doable in the short run are the other Prossimo projects.

For curl, that ever-popular and ever-dangerous data transfer program, Prossimo is working with curl’s maintainer Daniel Stenberg. The plan is to build curl with memory-safe HTTP and TLS libraries. For HTTP, that’s Hyper library; for TLS, it’s  Rustls library. Stenberg is working on the Hyper library integration, while ISRG engineer Jacob Hoffman-Andrews is taking care of Rustls integration.

Rustls, in turn, is meant to be a drop-in replacement for the ubiquitous OpenSSL. If you follow network security at all you know how prone OpenSSL has been to security problems over the years. I only need to mention Heartbleed, and you know we’re talking about serious trouble.

Here Dirkjan Ochtman, a well-known Rust developer, is improving the Rustls library’s code. A C API for Rustls has already been developed so you can replace OpenSSL with Rustls.

Finally, Stefan Eissing of Greenbytes is writing mod_tls, a new Transport Layer Security (TLS) module for the Apache web server. This popular web server is also written in C. Once finished, they hope mod_tls will replace the existing mod_ssl. As you might guess, it will use the mostly memory-safe Rustls TLS library instead of OpenSSL.

Eventually, ISRG wants to give Network Time Protocol (NTP) the memory-safe treatment. For now, though, this NTP project lacks funding. Want to help? They’re ready to work once they have the cash.

Over and above this though, the ISRG wants to fundamentally change the way the internet works and how we think about memory safety. As they say, “Today it’s considered perfectly normal and acceptable to deploy software written in languages that aren’t memory safe, like C and C++, on a network edge, despite the overwhelming evidence for how dangerous this is. Our hope is that we can get people to fully recognize the risk and view memory safety as a requirement for software in security-sensitive roles.”

That’s quite a goal to reach for, but they do have a point. We now depend on the internet for, well, everything. The safer we can make it, the better.