Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All

Presented at Black Hat USA 2022, Aug. 11, 2022, 3:20 p.m. (40 minutes).

Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere!

The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.

When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale.

This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.


Presenters:

  • Jonathan Leitschuh - Open Source Security Researcher @ Dan Kaminsky Fellowship, HUMAN Security
    Jonathan Leitschuh is a Software Engineer and Software Security Researcher. He is the first-ever Dan Kaminsky Fellow. Jonathan is best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He is amongst the top OSS researchers on GitHub by advisory credit. He's both a GitHub Star and a GitHub Security Ambassador. In 2019 he championed an industry-wide initiative to get all major artifact servers in the JVM ecosystem to formally decommission the support of HTTP in favor of HTTPS only. In his free time, he loves rock climbing, surfing, and sailing his Hobie catamaran.
  • Patrick Way - Senior Software Engineer, Moderne Inc.
    <div><span>Patrick Way is a Senior Software Engineer on the OpenRewrite team at Moderne. He has been in software engineering for over 20 years. His software spans domains including agriculture, e-commerce, and healthcare. Between 2001 and 2011, he owned and operated a small consulting business providing geospatial permitting applications for many of California’s agricultural commissioners. Recently Patrick has focused on mass, automated remediation of security vulnerabilities across the open source ecosystem.</span></div>
  • Shyam Mehta - OSS Security Research Intern @ Dan Kaminsky Fellowship, HUMAN Security Inc.
    Shyam Mehta is a student at the University of Pennsylvania studying computer science. He is currently an R&amp;D intern at HUMAN Security Inc. where he is working as an OSS Security Research Intern under the Dan Kaminsky fellow, Jonathan Leitschuh. He is interested in systems programming, computer/network security, and computer architecture and is passionate about working with all layers of the computing stack. In his spare time, he enjoys watching &amp; playing basketball, hiking, and visiting national parks.

Links:

Similar Presentations: