What OSTIF is Working on in 2020

OSTIF is simultaneously working on multiple projects this quarter. Here is what we’ve been working on and what to expect over the next few months!

Two projects with the Linux Foundation

We are working with the Linux Foundation’s Core Infrastructure Initiative on the safety and security of the Linux Kernel. We are working with Atredis Partners on evaluating the processes and policies for the Kernel’s security reporting, update, and disclosure processes to seek potential areas of improvement. This is something that the Kernel team has sought to review for years and OSTIF worked with our network of partners to bring the best people to the table for the task. We will be keeping the public notified as this project progresses. Here is an excellent talk by Konstantin Ryabitsev on how the Linux Kernel currently receives updates: https://www.youtube.com/watch?v=vohrz14S6JE

Additionally, we are in the early stages of reviewing the handling of software signing keys for the kernel, and how they are used for signing updates to the Kernel. We will have more information about this project in the near future.

Two Projects with the Monero Community

We are working with the Monero community on CLSAG. CLSAG promises to reduce signature sizes considerably while maintaining the same privacy level that Monero currently enjoys. Jean-Philipe Aumasson and Antony Vennard of Teserakt will be reviewing both the theoretical paper here and the implementation here after approval by the security committee and a round of fundraising with the Monero community.

Additionally, we are in the early stages of organizing and audit of Monero Triptych. Triptych promises to make transactions in Monero more efficient by increasing the efficiency of the ring signature scheme. Triptych allows Monero to significantly increase the size of rings while maintaining similar transaction sizes and verification speeds. This increase in ring size (from the current 12 to over 100) would theoretically substantially improve Monero privacy. We will be updating everyone on the status of this project as it progresses.

Three VPN Related Projects

We are working with the OpenVPN team on a review of OpenVPN 2.5.0, which introduces a number of new features that expand the use cases of OpenVPN. This includes and obfuscation plugin system that was developed with the Operator Foundation, whom we have also been working with to develop obfuscation plugins for OpenVPN that will be ready to go on launch.

We are also exploring scoping for a┬ásecurity review of WireGuard’s clients. This is crucially important because while WireGuard’s core code is only 5000-6000 lines and simple to review, the supporting software libraries for the individual clients adds an order of magnitude more code that doesn’t have the same brevity and quality controls of the core code. A wide-scope review of WireGuard gives the community a fine-grained review of the current security benefits of WireGuard over alternatives.

Additionally, we are exploring scoping to audit WinTun. WinTun is particularly important because it is the virtual driver that Windows requires for VPNs to function properly. This importance is magnified by WinTun also apparently performing better than tap-windows6 which is used by OpenVPN, and support for WinTun being added to OpenVPN. This means that WinTun will likely be the primary TAP/TUN driver for both OpenVPN and WireGuard in the future, so the security properties of WinTun are crucial.

Reaching Out to RIOT.IM

We have learned that the RIOT messenger team is seeking a security review of their project. So far we have been unsuccessful in our attempts to contact them. We will continue to try to reach out to assist the project and explore if collaboration is possible.

Seeking Additional Sources of Funding

OSTIF’s primary purpose is to bring together security resources with open source projects. As we expand on both ends of this goal, and we bring on more security teams while also having an increase in requests for support, the need for manpower grows. Two of our staff (Amir and Derek) have moved to working for OSTIF full-time.

Our efforts are now focused on seeking additional funding so that we can continue to effectively support projects with our time and resources. This comes in the form of us reaching out to more organizations for support, including large corporations and governments in the form of cybersecurity grants. Sponsorships and grants will be key for OSTIF going forward, as we continue to expand and magnify the amount of good we can do.