TSC Meeting Notes 2019-09-26

Attending:

  • Cary Phillips
  • Christina Tempelaar-Lietz
  • Kimball Thurston
  • Joseph Goldstone
  • Peter Hillman
  • Doug Walker
  • Dan Hutchinson
  • Carol Payne
  • Daniel Heckenberg

Discussion:

  • Dan Hutchinson joined from Foundry to discuss security.

  • There’s a healthy security research community, likes to look at popular libraries and does research to find vulnerabilities. They’re quite enthusiastic.

  • Projects need a security policy, and should announce a solicitation to the community to report vulnerabilities. Some projects post a PGP key with which to encrypt vulnerability reports.

  • Projects should have a Responsible Disclosure Policy - given 60 days to respond.

  • There’s a huge chasm between a bug and an exploit, a way of turning the bug into an actionable way of gaining access to a system. It’s legitimate for projects to ask, “Do you have an exploit available?”

  • Projects need static and dynamic analyzers. OpenEXR uses Sonar. SonarCube is a report aggregator. It can subsume valgrind reports.

  • How concerned should we be about security? Put yourself in the shoes of a hacker: file formats are a common attack vector.

  • Dan: OpenEXR is being proactive already;IlmImfFuzzTest is “awesome”.

  • Dan: Fewer than 10 CVE’s in 10 years is a pretty good record for a file format.

  • Dan: From what you’ve said, OpenEXR has ticked all the security boxes.

  • There are issues with how the library is used: the API says pass in a buffer of size X and application passes in buffer of size X-1, and we overwrite. Is that our problem? Not really.

  • Some of the complaints were that the library could allocate all the machine’s memory, then something else would crash, leading to a DoS. DoS attacks are common, but not the worst vulnerability.

  • An image can be large but compress well, so a small file can lead to large memory allocation.

  • Tiff has a comparable attribute structure: is there anything we can learn from them?

  • Is there a plan to provide binary packages hosted in nexus? Not yet.

  • Should use common hardening C++ flags.

  • Is it worth providing GPG signatures? It prevents against someone someone inserting something into the repo, and man-in-the-middle attacks..

  • Should enable 2-factor authentication on GitHub accounts.

  • Would hope that package maintainers would be proactive, but many of them probably include OpenEXR only because it’s a dependency of something else which might not have changed..

  • Reference images: it would be helpful to have a set of images for use with a performance test suite, and that exhibit a range of features of the library and format, such as multiple AOV’s, etc. https://github.com/openexr/openexr-images needs some curating.

  • TAC meeting yesterday - Michael Johnson mentioned that Apple is sitting on some security-related issues, will work on getting them approved.