The Internet runs on open-source software (OSS). It is probably fair to say that open source is everywhere. The Linux kernel, one of the building blocks of open source, is embedded in everything from most supercomputers, cloud computing, billions of phones, and most operating systems. “Open Source” software, as its name suggests, is available to anyone, and it poses a particular challenge in tracking what is happening at all times. This, in turn, leads to the potential for unique and serious cybersecurity vulnerabilities.[1]
While proprietary code (not freely available on the internet) is not inherently more secure than open-source code (which is freely available), open-source poses some familiar cybersecurity challenges. As the name suggests, it is open, allowing hackers or other bad actors to infiltrate. Some reports suggest up to 70%-90% of any “software stack” consists of third-party code. The SolarWinds breach is an example that once bad actors implant malware in what appears to be legitimate software and updates occur, that software can result in the mass dissemination of malware.
Vulnerabilities range widely, but two include failing to manage library dependencies (by keeping dependencies up to date, developers can take advantage of bug fixes, security patches, new features, and reduce security vulnerabilities) and bad-faith actors (people that intentionally break into systems, or contributors intentionally changing the software to be exploitable).
The military, the US Cybersecurity and Infrastructure Security Agency (CISA), Google, and DARPA are concerned about this. According to a report in a 2022 issue of MIT Technology Review, “Much of modern civilization now depends on an ever-expanding corpus of open source code because it saves money, attracts talent, and makes a lot of work easier.”
While the open-source movement has opened an ecosystem we depend on, experts say we do not fully understand it. The MIT Technology Review report says, “There are countless software projects, millions of lines of code, numerous mailing lists and forums, and an ocean of contributors whose identities and motivations are often obscure, making it hard to hold them accountable.”
None of this seems to have slowed the rush to open source. A recent report from the Linux Foundation and The Laboratory for Innovation Science at Harvard estimated that OSS comprises 80-90% of any given software package; this number is likely to continue to grow. Red Hat’s “The State of Enterprise Open Source” report found that “79% of respondents expect that over the next two years, their organization will increase the use of enterprise open source software for emerging technologies.” In the past two decades, companies have used open-source code with increasing frequency, and companies are increasingly contributing to open-source projects that they use, even collaborating with competitors.
Clear guidelines exist for best practices related to any secure software, open or otherwise, including code reviews, scanning for vulnerabilities, visibility into the system, knowing the attack surface, having zero-trust architecture, and red teaming. These are just some ways code, packages, and systems can be evaluated for security. Ultimately, security requires an in-depth knowledge of the system and how the various parts interact.
The key advantage of open-source software is that the source code is available for inspection by anyone. According to Netsec. news, “anyone can check the code to see if best practices have been followed and if the coding is sloppy. Importantly, it is possible to see exactly what the software does with open source. Suppose the source code cannot be checked [such as proprietary software]. In that case, there is no alternative other than to trust that developers have been diligent, and the company has not incorporated code that performs hidden functions from the user.” Having a large and active community of users is a vulnerability, but it also means that with the volume of people looking for security gaps, potential issues are quickly identified.
Knarik Petrosyan, writing for Security Boulevard, reports that businesses use third-party open-source software because it is more cost-effective and flexible than paid-for development solutions. Most organizations use some form of community-borne software, even without knowing it. It can increase the speed of development and decrease the costs. Petrosyan says, “Created voluntarily, OSS has code available for public inspection, modification, and enhancement. It’s used for various processes and tools, often to augment in-house proprietary code.” Corporations, from the smallest to the largest, have used OSS.
A 2021 MIT Technology Review article posed an important question: “If the internet runs on free, open-source software, who is paid to fix it?” Volunteer-run projects like Log4J keep the internet running. The result is unsustainable burnout and a national security risk when they go wrong. The Log4J project is an open-source tool used widely to record activity inside various types of software. It helps run applications from iCloud to Twitter.
Although Log4J's vulnerability has been a crucial piece of internet structure, it is extremely easy to exploit. It was made more complicated because it was founded as a volunteer project.
Early attacks came from kids who passed malicious code on Minecraft servers. Hackers, including some linked to China and Iran, seek to exploit the vulnerability in any machine they can find that is running the flawed code. Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), has said this is “one of the most serious flaws” she’s ever seen. Developer Fillipp Valsorda at Google echoed these concerns, stating, “Open-source runs the internet and, by extension, the economy…it is extremely common even for core infrastructure projects to have a small team of maintainers or even a single maintainer that is not paid to work on that project.”
As reported in the July 2022 MIT Technology Review, DARPA, the US military’s research arm, is working to understand the collision of code and community that makes open-source projects work. The idea behind the project is to find out more about how the system functions and predict potential risks better. To this end, DARPA’s “SocialCyber” program is an 18-month-long, multimillion-dollar project combining sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. According to the Review, “It’s different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.”
In that same July 2022 MIT Technology Review report, Sergey Bratus, the DARPA program manager behind the project, said, “The open-source ecosystem is one of the grandest enterprises in human history.” Open-source software is inextricably linked to critical infrastructure, and Bratus said that open source underpins “The systems that run our industry, power grids, shipping, transportation.”
This is a special concern for the military because our adversaries could write critical code, and the stakes of possible security breaches are incredibly high.
To try and get a handle on this problem, DARPA, through the SocialCyber Program, has contracted with multiple teams of what it calls “performers,” including small, boutique cybersecurity research shops with deep technical chops. One such performer is New York–based Margin Research, which has assembled a team of well-respected researchers. “There is a desperate need to treat open-source communities and projects with a higher level of care and respect,” said Sophia d’Antoine, the firm’s founder.
Margin's work maps out who is working on what specific parts of open-source projects. For example, Huawei is currently the biggest contributor to the Linux kernel. Another contributor works for Positive Technologies, a Russian cybersecurity firm that, like China’s Huawei, has been sanctioned by the US government. In many cases, open-source that we all depend on is run by one or two volunteers. This makes a lot of existing infrastructure very fragile because it depends on open source, and the basis of that software could be run by someone who quits one day, which happened in 2018 when a developer behind a popular open-source project called UA-Parser-JS quit, unwilling to work for free anymore. The software was later hijacked by malicious actors who inserted critical vulnerabilities into the software.
Users have created this illusion of trust around open-source software and its code. As the military, governments, and others are now just realizing, we assume it (open source) will always be there because it’s always been there. D'Antoine from Margin Research said, “The government is only just realizing that our critical infrastructure is running code that could be being written by sanctioned entities. Right now.”
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Wkly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.cybersecurityintelligence.com/blog/whats-the-problem-with-open-source-software-and-cybersecurity-7098.html
Comments