The Open Source Technology Improvement Fund is proud to share the results of our security audit of Kea. Kea is an open source project developed by Internet Systems Consortium (ISC). Described in the audit report as a “modular DHCP server framework… for assigning IPv4 and IPv6 addresses and distributing network configuration in enterprise, ISP and cloud environments,” Kea is a large project with lots of code. With the help of Ada Logics, this project received custom testing, documentation, and tooling work supporting ongoing security health.
Audit Process:
The audit team at Ada Logics carried out this engagement during late fall of 2025. They had four tasks within the scope of this audit: develop a threat model, carry out manual code review, establish continuous fuzz testing, and generate provenance documentation relevant to the holistic security of Kea. By defining code relevant to how data is transformed inside the system, auditors could further interrogate and clarify attack surfaces relevant to development of fuzzers and determination of security vulnerabilities in the project. Code paths were reviewed for parsing correctness and handling of exceptional or malformed conditions. Auditors integrated Kea onto OSS-Fuzz for ongoing fuzz testing, with continued maintenance and triage of security issues. Since Kea’s Meson build system doesn’t natively generate SBOM output, the auditors developed a custom Python tool that produces a complete SPDX compliant SBOM.
Audit Results:
- 6 Findings with Security Impact
- 6 Informational
- Formal Threat Model
- Improved Fuzzing
- Fuzzing harnesses made for Kea available on Github
- Formal SBOM
The maintainers of Kea were responsive and helpful to the audit team. Ada Logics noted that overall, Kea is well written and thoroughly reviewed. Additionally, now it is extensively fuzz tested. Kea is a large project that would benefit from future security efforts to continuously fortify its security measures and verify best practices. If you would like to contribute to Kea, you can visit their developer website for further information.
Thank you to the individuals and groups that made this engagement possible:
- Kea maintainers and community, especially: Victoria Risk, Tomek Mrugalski, Thomas Markwalder, Razvan Becheriu, and Włodek Wencel
- Ada Logics: David Korczynski, Adam Korczynski, and Arthur Chan
- The ISC-“This audit was part of a project funded through the ICANN Grant Program. ICANN is a nonprofit public benefit corporation established in 1998. Its mission is to ensure a stable, secure, and unified global Internet by coordinating the allocation and management of Internet Protocol (IP) addresses, domain names, and protocol parameters.”
You can read the Audit Report HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to [email protected].
Follow OSTIF’s lu.ma page for up to date information about open source security webinars, meetups, and educational opportunities!