OSTIF is proud to share the results of our security audit of Boost. Boost is an open source provider of free portable C++ source libraries. The project aims to establish a benchmark to provide reference implementations for future C++ standards. With the help of Shielder and Amazon Web Services, Boost can strengthen the security of its vast ecosystem. 

Audit Process:

 For this engagement the audit scope was limited to the overall security posture of the source code and an additional 12 libraries. As Boost is built to be generally applicable, there are a considerable number of libraries under its umbrella. The libraries chosen to be in scope were selected based on their maturity, code coverage, and maintenance status among other characteristics during an initial threat analysis. Shielder’s process of auditing the code in scope utilized both manual and tooling review of the source code. This process helped further identify the more sensitive or vulnerable areas of code to focus further review. Additionally OSS-Fuzz and ClusterFuzzLite, with occasional targeted help from the AFL++ fuzzer, were used to improve fuzzing coverage with new fuzzing harnesses that were developed during this audit to review under-tested areas. 

Audit Results:

  • 7 Findings with a Security Impact
    • 1 Medium, 4 Low, 2 Informational
    • 57% of reported issues have been resolved
  • 15 new Fuzzing Harnesses 
    • Increased Code Coverage
    • Increased Function Coverage
  • Short and Long Term Security Hardening Recommendations 

Third-party security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. As Boost is a massive organization with libraries separately maintained but incredibly reliant on each other, the security of one library affects the overall security of Boost. This report can be shared across current and future maintainers and contributors to help them more deeply understand the security needs of the overall Boost ecosystem. 

Thank you to the individuals and groups that made this engagement possible:

  • Boost maintainers and community- specifically Vinnie Falco, Alan de Freitas, John Maddock, Andrey Semashev, Antony Polukhin, and Jeremy Murphy
  • Shielder- Davide Silvetti, Pietro Tirenna, Mattia Ricciardi, Abdel Adim “Smaury” Oisfi
  • Amazon Web Services

You can read the Audit Report HERE

You can read Shielder’s blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].