New subject: Fwd: OSTIF Boost security audit report

23 May 2024

      Hi,

Recently, a security audit of several Boost libraries has been
conducted. The audited Boost version was 1.83.0. The report is now
published here:

https://ostif.org/boost-audit-complete/
https://ostif.org/wp-content/uploads/2024/05/OSTIF-Boost-Report-PT-v1.4.pdf

In short, the following libraries were audited:

- Boost.Beast (1 medium issue)
- Boost.DLL (1 informational issue)
- Boost.Date_Time
- Boost.Filesystem
- Boost.GIL
- Boost.Graph (1 low and 1 informational issues)
- Boost.JSON
- Boost.Program_Options
- Boost.Regex (3 low issues)
- Boost.String_Algo
- Boost.URL
- Boost.UUID

No critical or high severity issues were identified. Of the 7 identified
issues, 4 are marked as closed, meaning the issues are fixed. The
remaining 3 are open and listed in Boost.Beast (medium), Boost.DLL
(informational) and Boost.Graph (informational).

During audit, several fuzzing harnesses were developed and added to
OSS-Fuzz:

https://github.com/google/oss-fuzz/tree/master/projects/boost

In the report, there were also a few general recommendations given to
improve project security:

- Monitor OSS-Fuzz Reports
- Implement a Vulnerability Disclosure Process
- Implement Supply-Chain Attack Countermeasures
- Improve the Documentation with Security Mechanisms and Assumptions
- Avoid the Abuse of Asserts

Also, one general recommendation to Boost users:

- Perform Strict Input Validation

You can find more details in the report.

I'd like to emphasize the "Implement Supply-Chain Attack
Countermeasures" part, which basically comes down to signing git tags
and release tarballs. I think, our release process is indeed not very
reliable, let's say, which showed during the past few releases:

- there was instance when different tarballs for the same RC were
generated from different git revisions
- git tags for the release were missing or pointing to a wrong git commit

Also, release tarballs on GitHub don't have hashsums or signatures attached.

https://github.com/boostorg/boost/issues/838

For tarballs on jfrog, thankfully, there are hashsums published in the
release notes. Perhaps, we could also publish .sig files for all
tarballs, and also publish the public key to verify the signature on the
website.

Also, under "Implement a Vulnerability Disclosure Process" it is
suggested to use GitHub Security Advisories[1] as the mechanism for
reporting security issues. I've never used this tool, but perhaps it is
worth enabling for boostorg on GitHub. Emailing library maintainers
privately might not be a very reliable mechanism for such reports, given
that maintainers may become inactive.

[1]:
https://docs.github.com/en/code-security/security-advisories/working-with-re...

OSTIF Boost security audit report

Andrey Semashev

Marshall Clow

Vinnie Falco

Sam Darwin

Vinnie Falco

Marshall Clow

Andrey Semashev

Marshall Clow

Marshall Clow

Peter Dimov

Peter Dimov

tags

participants (5)