Results of curl Security Audit
By: Amir Montazery, OSTIF
Open Source Technology Improvement Fund (OSTIF) is thrilled to announce the results of a security audit and threat model for curl. In development since 1998, curl is a command line tool and library for transferring data with URLs. Curl is used in just about everything: cars, television sets, routers, printers, audio equipment, mobile phones, tablets, media players and is the Internet transfer engine for thousands of software applications in over ten billion installations. It’s even deployed on Mars.
The security review of curl was facilitated by OSTIF and sponsored by the Open Source Security Foundation (OpenSSF) in an effort to improve the security of this critical project in the open source ecosystem. The engagement involved a team of four consultants conducting code review for approximately six engineer-weeks of effort. A total of 12 issues were addressed, including 2 High Severity findings. The technical work of the review was led by Trail of Bits.
The bug fixes were validated and patched as part of the curl release schedule. The planned release for December 21, 2022, included all of the fixes and improvements made to curl as a result of this engagement. A detailed synopsis of the security improvements to curl can be found in the reports under Summary of Findings and Fix Review Results.
Another significant accomplishment from this engagement was a component-focused threat model for curl and libcurl. Published as a separate report, the effort involved a team of two engineers focused on the identification of security control flaws that could result in a compromise. This focused effort uncovered one design-level issue that could lead to vulnerabilities along with multiple security improvements. Threat model reports like this one can be used by developer and maintainer communities to better understand components, trust zones, and threat actors and gain a deeper understanding of how to use a project like curl.
The curl team demonstrated a strong commitment to improving security posture by actively participating in the audit process and collaborating with the audit team during the review and threat modeling exercise. Curl is a good example of a critical open source project. It has been in development for over 20 years thanks largely in part to Haxx, a group of open source developers and hackers in Sweden.
OSTIF is extremely grateful for the funding and support from OpenSSF to help make this critical project more secure.
The results can be viewed in full detail at the following links:
- Curl Security Assessment Full Report – Link: https://ostif.org/wp-content/uploads/2022/12/Assurance-Report-cURL-Code-Review-Testing-Analysis-Fix-Review-2022-2.pdf
- Curl Threat Model Full Report – Link: https://ostif.org/wp-content/uploads/2022/12/cURL-Threat-Model-Report-Fix-Review-2022.pdf
We thank David A. Wheeler, Brian Behlendorf, and Bob Callaway for helping to facilitate this work, and OpenSSF for funding this audit. OSTIF is planning more security efforts in 2023, and funding audits like these can be a useful tool for securing projects in open source.
Special thanks to Daniel Stenberg and Dan Fandrich of the curl project for actively participating in the security engagement.
Thank you to everyone from Trail of Bits that did excellent work on this audit!
For more information on this type of security work being done, visit the OSTIF website. We also have all of our published work on our Github. The OpenSSF supports work like these security audits to make open source software more secure. Proactive security audits go a long way in detecting and fixing vulnerabilities before attackers can exploit them. Everyone around the world depends on open source software (OSS), and security audits play an important role in securing the open source ecosystem.