Software vulnerability discovery
Automating discovery of software update and vulnerabilities
nixpkgs-update automates the updating of software packages in the nixpkgs software repository. It is a Haskell program. In the last year, about 5000 package updates initiated by nixpkgs-update were merged. This project will focus on two improvements: One, developing infrastructure so that the nixpkgs-update can run continuously on dedicated hardware to deliver updates as soon as possible, and Two, integrating with CVE systems to report CVEs that are addressed by proposed updates. I believe these improvements will increase the security of nixpkgs software and the NixOS operating system based on nixpkgs.
- The project's own website: https://github.com/ryantm/nixpkgs-update
Why does this actually matter to end users?
Software security for many users is a given, an assumption, something you do not and should not have to think about too hard. If you open an app on your phone, install new software on your laptop or boot up your tablet, you assume the software you use is safe, secure and that the developers have done their job right. With the amount of software coming out and the tangled web of inter-dependencies that exist today, this assumption of trust is hard to live up to. Especially since software vulnerabilities are constantly hunted for by malicious parties that want to get into our data and devices for blackmail, theft or on a larger and more dangerous scale, disruption of vital processes like power grids.
One of the ways to make sure users do not have to worry about the applications they have installed is to automate the search and discovery of software vulnerabilities. Detecting and fixing security risks automatically can help to mitigate vulnerabilities that were recently uncovered by vendors and developers. Of course there is little that can be done about so called zero-day exploits, but as soon as a problem is known developers typically start working on fixing their software. As a user you want to get those fixes as soon as possible, because the fact that a problem is now public increases the attack surface of software that companies, governments and people use to share sensitive data. Criminals can read bug reports too, and can opportunistically seize the chance to move in.
This project helps to make the internet more safe by shortening the path between software releases and the users. Installing a piece of software on a server or computer is quite simple these days. But behind the software repositories with tens of thousands of software applications, hides a lot of work and logistics. This is because a computer application typically isn't a single self-contained program, but assumes a lot of other software to be present on the computer. This helps to save your harddisk from having many copies of exactly the same file in different places, which is not just ecological waste but also a security liability. These so called "dependencies" need to be taken into account. A security issue in a major dependency can cause a lot of other application to be insecure.
So why does this need any work at all? Well, these dependencies are all independently produced by individual developers, small and large companies and communities. A significant human effort is required to monitor all kinds of software archives around the world for new versions. When a new version is discovered, so called packagers need to manually perform a number of tasks to arrive at the point where normal users can just install an update. Nixpkgs-update automatically discovers and updates software packages, and the Nix packaging system makes sure all the dependencies are properly handled.
With funding from NGI Zero this project will extend its efforts to automatically search for reported vulnerabilities in software packages, and make sure that updates which solve these issues are communicated and prioritised. The result is that users will be deploying and using the latest versions of software quicker, and can automatically install critical updates 24/7. If you are a company running a server on the public internet, that is critically important for your security and that of the rest of the net. As such, the project contributes to an operational internet that is more responsive to threats. We all need to be able to trust that the software we use is the latest, most reliable version that can be had. This project makes it possible to deliver on that assumption.
This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322.