Measurement

0WM — Measure and visualize Wi-Fi coverage

Wi-Fi coverage is key in corporate and BYOD environments, as the mobility offered by wireless protocols often outweighs criteria such as speed and stability, offered by wired alternatives. These criteria are however critical to guarantee a suitable quality of service, and reliable options to help network operators are scarce and unaffordable to small organizations. 0WM will provide feature-rich tools to produce quality coverage maps, leveraging affordable COTS components, to quickly and efficiently identify coverage problems affecting end users.

>> Read more about 0WM

Firmwire full-system 5G baseband emulation — Easier testing of 5G baseband modems with FirmWire

FirmWire is an open source full-system baseband firmware emulation framework for emulating, fuzzing, debugging, and root-cause analysis of smartphone baseband firmware. This project builds upon the framework to support newer, 5G capable, smartphones. Baseband processors are used in all modern smartphones for cellular network connectivity and are a remote attack surface. As such, baseband security is of utmost importance. Baseband firmware is complex, proprietary, and lacks public scrutiny. Emulation and reverse engineering are one of the few public ways to analyze baseband processors. These efforts will provide more transparency in baseband firmware and improve the community’s ability to analyze 5G security through emulation and fuzzing. Additionally, the reverse engineering efforts could aid in developing better open source drivers in the future.

>> Read more about Firmwire full-system 5G baseband emulation

Analytics Caddy Microservice — Privacy-friendly analytics microservice using server logs

For small organisations and individuals who wish to respect their visitors' privacy while needing to obtain analytics, there are limited options. The most elegant option (and the most privacy-respecting one) is to provide real-time analytics by ingesting the web server logs. This doesn't involve/require doing anything client-side (no scripting, no invisible pixels, etc): all the information needed can be derived from these log files without resorting to tricks. The form factor of a drop-in microservice allows for easy integration into other tools (which offers a significant improvement in terms of usability), and makes it portable. The end result will provide a neat solution for small actors to make self-hosting of their website 'batteries included'.

>> Read more about Analytics Caddy Microservice

Back2Source next — Better matching of binaries with source code

Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repository. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues.

"Back to source" creates analysis pipelines in ScanCode.io to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and we enable applying this "trust but verify" approach to all the binaries.

>> Read more about Back2Source next

badkeys — Detect compromised cryptographic public keys

Public key cryptography is an important building block of Internet security through protocols like TLS or SSH. Key generation vulnerabilities in cryptographic implementations can compromise the security of these mechanisms. The tool badkeys allows identifying public keys affected by known vulnerabilities. The project will implement improvements to badkeys' coverage of known-compromised keys and regular monitoring of public keys in TLS certificates, DNSSEC, and DKIM for known vulnerabilities.

>> Read more about badkeys

Detecting Forged-Origin BGP hijacks — Probabilistic detection of BGP hijacking

Hackers often exploit vulnerabilities in BGP, the primary inter-domain routing protocol (essentially the “glue” that connects all networks on the Internet), to hijack Internet traffic. Our project builds on our work in detecting forged-origin BGP hijacks, a specific type of BGP hijack that remains unaddressed by recent cryptographic efforts aimed at securing BGP. Our objective is to enhance the accuracy of our detection system, which relies on a probabilistic model to compensate for the lack of cryptographic tools, ensuring that no attack goes unnoticed. Additionally, we plan to share our data and improve access to our inferences by developing APIs. This will enable both network operators and the research community to benefit from our findings and apply them to improve the security of their networks.

>> Read more about Detecting Forged-Origin BGP hijacks

BIDS: Binary Identification of Dependencies with Search — Identify known open source elements present in binaries

Embedded device firmware is assembled from many FOSS package dependencies. Knowing which dependencies have been used is essential for security and licence compliance. However this is a complex task for native ELF binaries built from languages such as C/C++ that do not have package managers for metadata and simpler conventions for bytecode like Java or Python. The BIDS (Binary Identification of Dependencies with Search) project will build a tool (in Python) to analyse ELF binaries and find dependencies contained and built in these binaries. The BIDS project will deliver tooling to analyse ELF binaries and extract key features and store these for indexing, tooling to index these binary features in a search engine using inverted indexing, and a query tool and library to process large binaries to query this inverted index. The latter will return results as lists of ranked FOSS packages and files found to be present in the analysed binary. The data and tools will also be packaged to allow for further integration and reuse by other FOSS tools and analysis pipelines.

>> Read more about BIDS: Binary Identification of Dependencies with Search

Supersizing the Gun — Chipwhisperer open hardware for side channel analysis

ChipWhisperer is an open hardware and software toolchain that has been a mainstay of hardware security research. ChipWhisperer is used in academic curricula and in industrial R&D implementation security research labs for high speed side-channel power analysis and glitching attacks. The objective of this project is to explore design changes to the current ChipWhisperer hardware, so as to allow capturing of longer power analysis traces and to cater to higher clock speeds than currently supported. Here, the intent is to make it easier to perform side-channel-related analysis of public-key algorithms, without the need to artificially break down the algorithms into multiple components due to platform constraints. This allows for more realistic and practically relevant attacks. This project additionally entails the development of fine-grained post-processing tools, which would make further analysis of captured traces of public-key algorithms easier.

Ultimately, the goal is to work towards candidate post-quantum algorithms, which are known to be more resource-hungry. The project funded by NGI Zero would specifically target design changes to considerably increase the sampling rate (towards 200-250 MS/s) and to provide for a streaming mode (initially envisioned to be roughly 15-30 MS/s). It includes both a new hardware design and a significant update to the current open-source software of the ChipWhisperer platform, as well as demonstration of how to successfully use this with practically relevant ECC public-key algorithms.

>> Read more about Supersizing the Gun

CRAVEX — Cyber Resilience Application for Vulnerability Exploitability Exchange

There is no free and open source vulnerability exploitability management application centered on software packages. Vulnerability management applications traditionally serve the needs of security teams first. There is a fundamental disconnect between the package-centric mindset of a developer and the vulnerability-centric mindset of a security analyst.

Developers need modern tools to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world. They are the primary stakeholders and best positioned to tackle open source package vulnerabilities at the root. With the impending requirements of the CRA, open source projects and small businesses urgently need a free and open solution to comply with these new emerging mandates with minimal friction and costs.

The Cyber Resilience Application for Vulnerability Exploitability (CRAVEX) is a web-based app designed to fulfill these requirements for better software supply chain integrity and security. CRAVEX will make it easier for any organization to comply with the emerging CRA and other regulatory requirements, efficiently, and improve the overall security posture of organizations of all sizes, especially for SMEs.

CRAVEX will collect, track, and triage FOSS package vulnerabilities, determine their exploitability in a portfolio of software products and projects, and provide reporting with SBOMs and VEX statements to share with stakeholders.

>> Read more about CRAVEX

CRAVEX 2 Code Reachability — Do vulnerable dependencies actually impacts security or not?

The project summary for this project is not yet available. Please come back soon!

>> Read more about CRAVEX 2 Code Reachability

CRAVEX integration — Integrated vulnerability exploitability management

The project summary for this project is not yet available. Please come back soon!

>> Read more about CRAVEX integration

Darkstar — Open source vulnerability management solution

Build an open source, self hostable, commercial grade attack surface management/vulnerability management solution, for web, network, agent based and cloud security. Our idea is to build a self hostable (container based) vulnerability management solution, which allows companies and people worldwide to monitor their security trough finding vulnerabilities. The main focus lies on creating the basic features that are required for a functional vulnerability management solution: on demand scanning, reporting, prioritization, scanning internal networks via container appliances you can place on your network, scanning external attack surface (web security scanning/DAST), network based external security scanning and g and agent-based vulnerability management.

>> Read more about Darkstar

EDeA — Repeatable, automated measurement data capture

EDeA is a set of tools and a web portal which makes it easier for people to share and collaborate on Open Hardware sub-circuits. The scope of this project is to further improve on the collaboration aspect of the portal and to build the EDeA Measurement Server. The EDeA Measurement Server is a tool for automated scientific data capture (not only) for sub-circuits and a library which enables test & measurement as code. This makes it possible to analyze, reason about and share open hardware in a repeatable and consistent manner.

>> Read more about EDeA

EEZ flow for EEZ Studio — Open Hardware Test & Measurement equipment

EEZ Studio is a free and open source cross-platform tool which offers a development environment for efficient creation of user interfaces for embedded systems that use touchscreens. This allows for visual development of embedded GUIs and dashboards through which which one can manage test and measurement equipment - including for test and measurement automation.

In this project, the team will improve communication with test and measuring devices, allowing to manage multiple instruments, add networking capabilities and support for non-SCPI instruments and devices. In addition the project will develop templates for more easily creating dashboards, make the creation of report and working with project scrapbook easier, and improve data and session management.

>> Read more about EEZ flow for EEZ Studio

EEZ Studio — Open source tooling for measurement and test equipment

EEZ Studio is a free and open source cross-platform low-code visual tool that brings the functionality of legacy solutions for effective control of test and measurement devices. Modern user interface, modular design, debugger, drag&drop flowchart programming will enable easy collection of measurement data as well as automation of test procedures in different environments from classrooms, workshops, laboratories to production lines.

EEZ Studio also offers a development environment for efficient creation of GUIs for embedded systems that use touchscreens. Unlike similar solutions, EEZ Studio enables not only drag&drop programming, debugging and GUI simulator, but also the creation of complex business logic for interaction with the user and with underlying hardware functionality.

>> Read more about EEZ Studio

Tracking the Trackers — Automated scanning for spyware in mobile applications

F-Droid is a free software, community app store that has been working since 2010 to make all forms of tracking and advertising visible to users. It is the trusted name for privacy in Android, and app developers who sell based on privacy make the extra effort to get their apps included in the F-Droid.org collection. These include Nextcloud, Tor Browser, TAZ.de, and Tutanota. Auditing apps for tracking is labor intensive and error prone, yet ever more in demand. Our tools already aide F-Droid contributors in this process. This project creates new tools using machine learning to drastically speed up this process by augmenting the human review process. Since the prime motivation of the F-Droid community is ethical software distribution, algorithms will never replace humans in making ethical decisions. We will also explore using machine learning to detect tracking in a more generic way, without requiring manually compiled lists of key information. The resulting tools will be generally available for any use case needing to reliably detect trackers in Android apps. This builds upon our collaboration with Exodus Privacy and LibScout.

>> Read more about Tracking the Trackers

FederatedCode Next — UI and curation queue for VulnerableCode data enrichment

VulnerableCode is an open-source database that aggregates and enriches data concerning CVE with metadata to make it easier to track CVEs across packages and dependencies. VulnerableCode was designed from its inception to correlate and aggregate multiple data sources and not have a single point of failure. The FederatedCode Next project aims to create a UI and curation queue for VulnerableCode in order to take the next step towards an open, peer-to-peer federated database of code vulnerabilities.

This allows to to ensure cybersecurity professionals have the essential information they need to do their work when new vulnerabilities are unveiled - such as PURL and VERS version ranges for impacted and fixed package versions, Common Weakness Enumeration details to qualify the weakness exposed by a CVE, severity scoring, mitigation possibilities beside updating and patching, the actual commits/patches that introduce/fix a vulnerability for reachability analysis, related PoC for exploits, etcetera.

>> Read more about FederatedCode Next

FPGA Fault Injection Testing — Better testing towards preventing fault injection in FPGA's

Fault injection aims at disrupting the orderly way in which data and instructions in a chip are processed. This can be achieved, e.g., by malicious glitches that briefly interrupt the supplied voltage of the chip. To better protect against faults, countermeasures need to be implemented, such as glitch sensors that can detect these adversarial conditions. Due to the wide range of fault injection methods, the development of glitch sensors is time-consuming and requires a wide range of lab capabilities.

Within the context of FPGAs, such testing is often not feasible due to their unique configuration based on a bitstream. In this project we seek to demonstrate that in-situ fault injection by creating short-circuits in an FPGA is possible and that this can be used to emulate similar effects in the circuit that otherwise would require costly external instruments. In addition, since FPGAs can be reconfigured quickly, it is possible to rapidly test a wide range of fault injection configurations. We then implement and compare glitch sensor designs in the FPGA and compare them to the state of the art (attacks and countermeasures) with the expectation to improve over previous results, as the fine-grained in-situ fault injection process is expected to offer more control over the testing process, resulting in a better calibration of the glitch sensor.

>> Read more about FPGA Fault Injection Testing

GoatCounter — Privacy-friendly web analytics for small websites

GoatCounter aims to provide meaningful privacy-friendly analytics for businesspurposes, while still staying usable for non-technical users to use onpersonal websites. The choices that currently exist are between hosted online services that have serious privacy issues, running your own complex software, or extremely simplistic "vanity statistics". GoatCounter attempts to strike a good balance between various interests. Major features include an easy to run self-hosted option, an intuitive user interface that is also accessible to website maintainers with accessibility needs, and meaningful statistics that go beyond "vanity stats" but still respect user privacy.

>> Read more about GoatCounter

happyDomain — Simplify DNS zone management

happyDomain is an interface designed to make domain name management more accessible, intuitive, and efficient. By consolidating domain names from multiple providers and abstracting technical complexities that often lead to common mistakes, happyDomain empowers operational teams to handle their domain needs effortlessly, saving time and reducing friction. Its modern interface offers essential features such as history tracking, one-click rollbacks, logical groupings for services, and a REST API for automation. Built with carefully selected technologies, happyDomain provides a fast and lightweight experience, suitable for both large-scale infrastructures and personal use. Our mission is to help individuals and organizations regain independence on the Internet by simplifying domain management and fostering confidence. Whether for system administrators, agencies, freelancers, or privacy-conscious users, happyDomain transforms domain management into an accessible and seamless task for all.

>> Read more about happyDomain

Handling Data from IPv6 Scanning — Scanning tools for scaling up IPv6 scans

Scanning is state of the art to discover hosts on the Internet. Today’s scanning relies on IPv4 and simply probes all possible addresses. But global IPv6 adoption will render brute-forcing useless due to the sheer size of the IPv6 address space, and demands more sophisticated ways of target generation. Our team developed such an approach that generally allows to probe all subnets in the currently deployed IPv6 Internet within reasonable time. Positive responses are however scarce in the IPv6 Internet; thus, we include error messages in our analysis as they provide meaningful insight into the current deployment status of networks. First experiments covering only parts of the Internet were promising and at least 5% of our probes trigger error messages. However, a full scan would lead to approx. 10^14 responses causing Petabytes of data, and demands an adequate solution of data handling. In this project, we will develop a data storage and analysis solution for high-speed IPv6 scanning. It will process the high amount of received data concurrently with scanning, and provide continuous results while scanning for long periods. This effort enables full scans of the IPv6 Internet.

>> Read more about Handling Data from IPv6 Scanning

iso14229 — Universal Diagnostic Services for automotive diagnostics

iso14229 is an open-source portable C implementation of Universal Diagnostic Services (ISO 14229-1:2020). UDS is a communications protocol used for diagnostics, tuning and firmware updates on embedded devices such as those in your car, tractor, robot, IoT device, or renewable energy system. Insecure UDS implementations expose software to security exploits. By providing an open source implementations including the security features of UDS, this project addresses an important gap. Within the scope of this grant, the team will work on the integration of static analysis, improve documentation and develop a number of security-focused examples.

>> Read more about iso14229

Lightmeter — Email server configuration lifecycle management

Lightmeter will make it easy to run email servers large and small by visualising, monitoring, and notifying users of problems and opportunities for improved performance and security. People will regain control of sensitive communications either directly by running their own mailservers, or indirectly via the increased diversity and trustworthiness of mail hosting services.

>> Read more about Lightmeter

LANShield — Constrain local network access for mobile devices

LANShield is a tool that will give users control over which apps and programs are allowed to access devices in the local network. This is done to defend against malicious apps that may try to scan the user's local network and subsequently leak sensitive information. For instance, when an app tries to access the local network for the first time, the user is asked whether this app should be allowed to access local devices. The project will also investigate models and protocols to safely enable an app to communicate with local devices, with the idea that apps can use this protocol to access local devices without requiring explicit user permission. The project will also investigate how to integrate this defence into Android.

>> Read more about LANShield

Massive FOSS scan — License scan on the whole Software Heritage archive

ScanCode is a comprehensive open source license and code origin scanner. It is actively used by many proprietary and FOSS tools for Software Composition Analysis. This project will make detecting FOSS licenses an issue of the past by running a massive license scan on the whole Software Heritage archive of over 20 billion unique source code files from more than 327 million projects, and the PurlDB index of all major package registries and linux distro's. The outcomes will be a massive commons reference database to speed up future scanning and matching processes with accurate license information, and a massive collection of fingerprints to enable approximate code matching at scale. This will be applied to the Software Assurance/MatchCode project, and available for other users and organizations as open data to improve FOSS code matching and discovery at an unprecedented scale.

>> Read more about Massive FOSS scan

MobileAtlas — A distributed open hardware test infrastructure to analyse mobile networks

MobileAtlas is an international measurement platform for cellular networks that takes roaming measurements to the next level. Although mobile cellular networks have become a major Internet access technology, mobile data traffic is surging, and data roaming has become widely used, well-established measurement platforms (e.g., RIPE Atlas) are not well-suited for measurements in the mobile network ecosystem. This includes measurements of metered connections and consideration of roaming status and zero-rating offers.

MobileAtlas implements a promising approach by geographically decoupling SIM card and modem, which boosts the scalability and flexibility of the measurement platform. It offers versatile capabilities and a controlled environment that makes a good foundation for qualitative measurements. We want to establish the framework with at least twenty open hardware probes, and create a platform for shared usage among scientists and Internet activists.

>> Read more about MobileAtlas

MobileAtlas — Taking roaming measurements to the next levelMobileAtlas

MobileAtlas is an international measurement platform for cellular networks that takes roaming measurements to the next level. Although mobile cellular networks have become a major Internet access technology, mobile data traffic is surging, and data roaming has become widely used, well-established measurement platforms (e.g., RIPE Atlas) are not well-suited for measurements in the mobile network ecosystem. This includes measurements of metered connections and consideration of roaming status and zero-rating offers.

MobileAtlas implements the promising approach to geographically decouple SIM card and modem, which boosts the scalability and flexibility of the measurement platform. It offers versatile capabilities and a controlled environment that makes a good foundation for accurate and fine-grained measurements. In the current phase we focus on increasing the coverage of the measurement platform and improving the support for emerging technologies (e.g. eSIM, IPv6, VoLTE, and 5G).

>> Read more about MobileAtlas

MPTCP — MultiPath TCP

How do you find the best way to communicate with a computer on the other side of the internet? And why bet everything on a single connection? Multipath TCP (MPTCP) extends the most widely used transport protocol on the internet (TCP) so that it can discover and use several physical paths (e.g., Wifi, cellular, between multihomed servers) in parallel. This allows to speed up transfers, smoothly transition from wifi to cellular when leaving one's house or potentially prevent traffic spying.

While the protocol is proven to work well in certain conditions (the fastest TCP connection ever was using MPTCP), it is configuration-sensitive and can degrade badly under adverse conditions (for instance in heterogeneous networks with small buffers). The aim of this project is to provide the tool to help analyze the performance of a multipath protocol as well as the software to (auto)configure the system depending on the application objective and network conditions.

>> Read more about MPTCP

Software vulnerability discovery — Automating discovery of software update and vulnerabilities

nixpkgs-update automates the updating of software packages in the nixpkgs software repository. It is a Haskell program. In the last year, about 5000 package updates initiated by nixpkgs-update were merged. This project will focus on two improvements: One, developing infrastructure so that the nixpkgs-update can run continuously on dedicated hardware to deliver updates as soon as possible, and Two, integrating with CVE systems to report CVEs that are addressed by proposed updates. I believe these improvements will increase the security of nixpkgs software and the NixOS operating system based on nixpkgs.

>> Read more about Software vulnerability discovery

NoScript Contextual Policies & LAN protection — Application Boundaries Enforcer (ABE) for new generation of browsers

NoScript is a FOSS browser extension for Firefox, Chromium and its derivatives. It can be used on desktop and mobile browsers, and enhances security by providing control over JavaScript and other active content. It is the first and still most effective XSS filter. NoScript is an integral part of the Tor Browser, as the back-end of its "Security Level" settings.

ABE-Quantum is the next generation of the Application Boundary Enforcer (ABE), a NoScript module that provided protection against several cross-site and cross-network attacks. When Mozilla abandoned the legacy Firefox add-ons platform in 2017, ABE did not survive the painful transition to the new cross-browser (but backward incompatible) WebExtensions API. The ABE-Quantum project aims to bring the main ABE features to WebExtension-capable browsers, and specifically: 1) contextual content blocking policies depending both on the origin and the destination of the request, e.g. "Block facebook.net scripts everywhere unless the parent site is facebook.com"; 2) protecting LAN endpoints (i.e. routers or other internal applications) against browser-based attacks from the WAN using the web layer to work-around traditional firewalls. These features will be integrated in NoScript's user interface - rather than leveraging a firewall-inspired policy definition language like in the original ABE - in order to provide a simpler, more accessible and more intuitive user experience.

>> Read more about NoScript Contextual Policies & LAN protection

O-ESD: Open-hardware for ElectroStatic Discharge testing — Open-hardware for ElectroStatic Discharge testing

The goals of the Open-hardware for ElectroStatic Discharge testing (O-ESD) is to design, produce and verify an open-hardware and accompanying open-software for a device for electrostatic discharge testing. Electrostatic discharge is a phenomenon that occurs daily between humans and electronics and can irreversibly damage the electronics. All consumer electronics sold in EU, including all internet hardware, must satisfy Electromagnetic Compatibility (EMC) Directive. One of the most hardest tests within EMC directive deals with electrostatic discharge as defined by IEC/EN 61000-4-2 standard. Standardized tests are typically done with special equipment in accredited EMC laboratories and are costly. The O-ESD tester will minimize the costs of pre-compliance testing and make it publicly available.

>> Read more about O-ESD: Open-hardware for ElectroStatic Discharge testing

offen — Ethical site analytics, controlled by the user

Transparently handling data in the open creates mutual trust: Offen is a web analytics software that gives users insights into the data they are generating by giving them access to the same suite of analytics tools site operators themselves are using. Usage metrics come with explanations about their meaning, relevance, usage and possible privacy implications, and also details which kind of data is not being collected. Offen treats both users and operators as parties of equal importance. Users can expect full transparency and are encouraged to make autonomous and informed decisions regarding the use of their data, and operators are being enabled to collect needed usage statistics while fully respecting their users' privacy and data. No user data is being collected until the user has explicitly opted-in. All data can be deleted either selectively or in its entirety by the users.

>> Read more about offen

OnBaSca — Tor Bandwidth Scanner

The Tor network is comprised of thousands of volunteer-run relays around the world, and millions of people rely on it for privacy and freedom online everyday. To monitor the Tor network's performance, detect attacks on it, and better distribute load across the network, we employ what we call Tor bandwidth scanners. The bandwidth scanners are run by the directory authorities, which are special relays that maintains a list of currently-running relays. This project will make a number of improvements to the new bandwidth scanner call sbws, to make it easier for directory authorities to deploy it, for relay operators to better diagnose issues and for end users to benefit from increased quality of experience.

>> Read more about OnBaSca

OWASP dep-scan — Security and risk audit tool

OWASP dep-scan is a next-generation Software Composition Analysis (SCA) tool based on known vulnerabilities, advisories, and license limitations for applications, container images, and Linux virtual machines. Powered by abc - AppThreat atom, OWASP blint, and CycloneDX Generator (cdxgen) - dep-scan performs a range of advanced code hierarchy and lifecycle analysis (for example, reachability analysis) to improve precision and reduce false positives, thus helping developers and AppSec people focus on supply chain vulnerabilities and risks that needs real attention.

Dep-scan is purpose-built to be integrated in CI, Vulnerability Management platforms, and air-gapped environments. Dep-scan can perform all the analysis offline, with no code or SBOM leaving your environment. The tool supports generating reports in CycloneDX VDR, OASIS CSAF VEX, HTML, PDF, and Markdown formats.

>> Read more about OWASP dep-scan

Pijul ecosystem — A modern patch-based version control system

Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools. While its foundations are already mature and well-tested, it lacks many conveniences users expect from the ecosystems of popular tools such as Git. This project aims to significantly reduce Pijul's barrier to adoption by addressing common areas of user feedback - documentation, usability, robustness, and integration into other tools such as text editors or CLI prompts. We believe this will improve the workflow of existing users, and enable many more to adopt Pijul and its benefits without sacrificing other parts of their workflow.

>> Read more about Pijul ecosystem

purl2all — Discover metadata for software packages

While we often simplify our mental model of the software supply chain by only looking at how source code is maintained and compiled with other source code into binaries which are distributed, in reality there are many more stakeholders that provide or curate information about software which is used by others as part of their decision process - and there are many supply chains concurrently, some of which are intertwined. The purl (package-url) initiative allows this information to be aggregated from all the different stakeholders in the software supply chains.

The purl2all project aims to build a real-time, on-demand, decentralized and distributed knowledge base for all kinds of software packages metadata that can be used by other services that need the metadata; such as ScanCode, VulnerableCode, or any system, application or library using package-url (purl) as a way to identify packages and versions to lookup this data.

The outcome will be a decentralized, on-demand software metadata collection system that will complement or replace centralized batch systems.

>> Read more about purl2all

purl2sym — FOSS code symbols indexing system

Identifying corresponding source code compiled in natively compiled binaries is complex and important – only by knowing the code origin can one know if the code is subject to known vulnerabilities or licensing issues. In IoT and embedded devices, most of the code is composed of natively compiled binaries, with a significant Android-based ecosystem using Java with specific constraints: multiple programming languages (Java and Kotlin) and bytecode-compiled binaries. Many devices also embed secondary code (typically for admin and UI), such as Lua, JavaScript, Python, or PHP.

To help with identification of binaries, it is important to aggregate collection of identifiers and symbols from FOSS code and index them to easily retrieve the data in efficient detection engines, based on automations and binary scanners. These symbols or identifiers are essential to software identification tools such as BANG that can match symbols in source and binaries and determine the corresponding source code for a given binary code input.

purl2sym is a new data collection and indexing system to collect code symbols from FOSS source packages (and binaries in the future) and store them for reuse in other software analysis processes.

>> Read more about purl2sym

PurlValidator — Check validity of software package identifiers online and offline

Package-URL, or PURL, is the de-facto standard for identifying software packages, used by open source SCA tools, SBOM and VEX specs, and vulnerability databases. But using a standard syntax does not prevent errors: A recent (not yet published) study on the quality of software bill of materials (SBoM) revealed that for too often PURLs in SBOMs are still inconsistent, fake, incorrect, or misleading. This is a major impairment to any application of SBOMs, and industry-wide cybersecurity and application security.

The PurlValidator project is a public service, based on PurlDB, to validate all the PURLs. An extension of the purl2all project, PurlValidator validates the PURL syntax against any known PURLs by exposing PurlDB's reference data of 20M+ PURLs. PurlValidator also provides decentralized libraries for offline use that can be integrated in multiple tech stacks for all major ecosystems, beyond what is already available for PURL tools. The goal of this project is to provide an accessible, single source of truth to the security and SBOM ecosystem at large and improve the quality and accuracy of PURLs in use, imperative for CRA compliance.

>> Read more about PurlValidator

Reaction — Event-based system programming

A lot of bots roam the internet, scanning server ports and web endpoints, and filling out any web form they come across - continuously on the lookout for vulnerabilities to exploit. In order to maintain server security, one of the currently most common defense mechanisms is to monitor logs for repetitive behaviour, or specific patterns implying the involvement of bots. With tools like fail2ban, one can write simple rules to automatically isolate machines identified as suspect.

Reaction wants to provide a more modern and efficient approach to regex-based log scanning, allowing multiple reaction instances to communicate, sharing bans across an entire infrastructure as well as more intelligent and user-friendly soft bans. This extends the scope of this class of tooling allowing it to act as a light monitoring tool, or an orchestrator for any other event-based actions.

>> Read more about Reaction

rrdnsd — DNS based load balancing and high availability

rrdnsd implements DNS-based load balancing and failover in order to increase the reliability of geographically-distributed Internet services. It is designed to both scale up to managing hundreds of services but also scale down to small scale deployments. Written in Rust, it prioritizes resilience, ease of deployment and hands-off maintenance - without depending on 3rd-party services. It provides distributed connectivity monitoring using a quorum protocol. This allows detecting partial network outages without causing false positive alarms.

>> Read more about rrdnsd

Servo: Benchmarking and Statistics — Infrastructure for benchmarking and testing Servo

Servo is a web engine written in Rust that already provides results from the Web Platform Test Suite. However, these results may be difficult for newcomers to understand, as they lack a clear indication of the progress in supporting modern web standards. This creates challenges for the community in assessing the current state of development. When the community inquires about the support for specific features, these capabilities can often only be verified through manual testing. Moreover, finding information about Servo's performance can be equally challenging.

To address these issues, this project aims to develop an infrastructure to benchmark and report on the current state of Servo, monitor performance differences between commits, and present these metrics and supported features in a more comprehensible way. This will give the community a clearer understanding of the state of the Servo project, leading to a more active and engaged contribution environment.

>> Read more about Servo: Benchmarking and Statistics

Sniffnet — User-friendly network monitoring application

Sniffnet is a cross-platform, Rust-based, fully open-source network monitoring application to help everyone keep an eye on their Internet traffic. Sniffnet is a technical tool, but at the same time it strongly focuses on the overall user experience: most of the network analyzers out there are cumbersome to use, while one of Sniffnet's cornerstones is to be usable with ease by virtually anyone. In an era dominated by network traffic encryption, Sniffnet doesn’t follow the standard monitoring approach that included reporting full packets’ payloads, but rather it provides flow-level details such as the country, the organization, the domain name, the upper-layer service, and other parameters that enable a more immediate understanding about the nature of the network traffic.

>> Read more about Sniffnet

Statime PTP Master — Statime - Zero-allocation cross-platform Precision Time Protocol

High-precision clock synchronization is becoming increasingly important in application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. The Precision Time Protocol (PTP) is widely used for these critical applications and it is therefore important for it to be as secure and reliable as possible.

We have previously developed the first iteration of Statime, an implementation of a PTP slave in the Rust programming language. The outcome of that project is a secure-by-design implementation, leveraging the Rust borrow checker to guarantee memory-safety. With this project, we will expand our implementation in two ways. Firstly, we will expand the feature set to include a PTP master, conforming to the IEEE standard for PTP (the 2019 version, IEEE1588-2019), so we can run a full PTP instance with the memory-safety guarantees that our implementation provides.

Secondly, our implementation will be able to run without an operating system or system allocator. Those properties make the implementation inherently portable and more reliable. Our concrete goal for this second phase is that it runs on the stm32f7 microcontroller, a device with built-in PTP Ethernet support, but otherwise limited capabilities.

>> Read more about Statime PTP Master

Timing-Driven Place-and-Route (TDPR)  — Open hardware tool to synthesize digital silicon circuits

The lack of an open-source timing-driven place-and-route tool is one of the major barriers to creating technically fully transparent digital integrated circuits such as microprocessors. The most popular open-source place-and-route tools available today are not timing-driven, hence the generated layouts are generally not guaranteed to satisfy the timing constraints. This requires tedious and time-consuming manual interventions. This project will combine published algorithms with existing open-source projects to fill this gap. The tool will be released with the free/libre AGPLv3 licence together with extensive documentation and tutorials.

>> Read more about Timing-Driven Place-and-Route (TDPR) 

Tracking weasel — Detect privacy violations in mobile apps

Privacy and data protection are fundamental rights and already well protected by legal frameworks in the EU. Yet, tracking—often without consent—is ubiquitous and often unavoidable. While tech-savvy users can defend themselves against that to a certain degree with tools like tracking blockers, we want to attack the problem at its root to make the web safe for everyone, regardless of expertise. With this project, we want to build infrastructure to detect privacy violations in apps on Android and iOS and crowdsource complaints against this behaviour with the data protection authorities. The result will be a web app where users can select an app from the app stores, which we will then download and run in an emulator or on an actual device. We will analyse the apps’ network traffic and detect privacy violations not just based on server connections but the actual data being transmitted. We will also check any consent dialogs. The website will then show a report to the user and, depending on the results, give them the option to generate a complaint under the GDPR and ePrivacy Directive, complete with the collected evidence from the analysis in the form of screenshots and traffic dumps.

>> Read more about Tracking weasel

Trustix — Make build logs available as publicly verifiable, tamper-proof Merkle trees

Software build infrastructure is vastly underestimated in terms of its potential security impact. When we install a computer program, we usually trust downloaded software binaries. But even in the case of open source software: how do we know that we aren't installing something malicious which is different from the source code we are looking at - for instance to put us in a botnet or siphon away cryptocurrencies? Typically, we have confidence in the binaries we install because we get them from a trusted provider. But once the provider itself is compromised, the binaries can be anything. This makes depending on individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralizes trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected.

In this project the team will work on further enabling trust delegation, by offloading log verification to trusted third parties - heavily inspired by the Delegated Proof of Stake consensus algorithm. It will bring Trustix into the Nix and the Guix ecosystems that are most amenable to Trustix' approach. The ultimate goal is for Trustix to integrate seamlessly into the entirely decentralized software supply chain so we can securely distribute software without any central corruptible entity.

>> Read more about Trustix

Enhance the vulnerability database — Enhance the VulnerableCode vulnerability database

Using Components with Known Vulnerabilities" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (funded by the US CISA and Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage, we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools.

This project delivers unique FOSS tools to aggregate software component vulnerability data from multiple sources, privileging upstream data directly from project maintainers. VulnerableCode organizes that data with a de-facto industry standard Package URL identifier (Package URL or PURL) enabling efficient and straightforward automation for the search for FOSS component security vulnerabilities. The benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source, or a few foreign commercial data providers.

In the new context of the upcoming Cyber Resilience Act (CRA), the access to an open, free and curated FOSS package vulnerability data source is now an imperative. And the organization of vulnerability data by Package URL or PURL identifiers in VulnerableCode enables easy frictionless integration with Software Composition Analysis (SCA) code analysis tool chains, direct enrichment of SBOMs (Software Bill of Materials) to find if SBOM-listed packages have known vulnerabilities, and creation of VEX (Vulnerability Exploitability Exchange) document to communicate the impact of known vulnerabilities

>> Read more about Enhance the vulnerability database

WebXray Discovery — Expose tracking mechanism in search hubs

WebXray intends to build a filter extension for the popular and privacy-friendly meta-search Searx that will show users what third party trackers are used on the sites in their results pages. Full transparency of what tracker is operated by what company is provided to users, who will be able to filter out sites that use particular trackers. This filter tool will be built on the unique ownership database WebXray maintains of tracking companies that collect personal data of website visitors.

Mapping the ownership of tracking companies which sell behavioural profiles of individuals, is critical for all privacy and trust-enhancing technologies. Considerable scrutiny is given to the large players who conduct third party tracking and advertising whilst little scrutiny is given to large numbers of smaller companies who collect and sell unknown volumes of personal data. Such collection is unsolicited, with invisible beneficiaries. The ease and speed of corporate registration provides the opportunity for data brokers to mitigate their liability when collecting data profiles. We must therefore establish a systematic database of data broker domain ownership.

The filter extension that will be the output of the project will make this ownership database visible and actionable to end users, and to curate the crowdsourced data and add it to the current database of ownership (which is already comprehensive, containing detailed information on more than 1,000 ad tech tracking domains).

>> Read more about WebXray Discovery

XWiki — Bring wiki capabilities into the Fediverse

XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity.

>> Read more about XWiki