December 18, 2020

Security Lab research: a year in review

GitHub Security Lab Team

Since its inception at GitHub Universe 2019, the GitHub Security Lab has set out on its mission to bridge the gap between the security research and developer communities to work toward the shared goal of securing open source software.

To date, the Security Lab team has reported over 400 issues across the open source community, which translated into 194 Common Vulnerabilities and Exposures (CVE) assignments. Not every bug report ends up with a CVE assignment, we often also report “normal” bugs we run into while looking for vulnerabilities. Code security is a subset of code quality, and we feel reducing bug density is a worthwhile effort regardless of any security accolades.

We’ve presented on the results of our research and participated in security and developer conferences across the globe, including FOSSDEM, Black Hat Europe and USA, DEFCON, EkoParty, HITCON, OffensiveCon, RootedCon, and POC.

In this post we will highlight some of our inaugural research findings and initiatives as we gear up for the 2021 bug hunting season.

Scaling vulnerability research

Much of the Security Lab mission is aimed at enabling other researchers and developers to use the Security Lab’s findings to secure their own code. By distilling our research findings into shared CodeQL queries, we hope to amplify bug hunting efforts across the community. The goal is to enable and inspire variant analysis of established bug patterns, such that the patch yield of a single bug finding goes beyond just a single bug report. Ideally we turn single bug findings into many fixes across many projects.

A good example of this effort has been our work on Java Bean Validation template injection vulnerabilities. Incremental improvements to the same queries that uncovered Remote Code Execution (RCE) vulnerabilities in many high profile Java applications in early 2020 ultimately led to the discovery and fix of a critical remote vulnerability in Germany’s COVID-19 response infrastructure. This is a great example of open source teams across the globe pulling together to improve open source security.

Throughout the year we were able to take this same CodeQL-driven variant analysis approach to many different high profile open source projects, including the Linux kernel and Google Chrome.

Combined with code scanning, we hope that CodeQL-driven variant analysis and other efforts like it are steps toward effectively scaling vulnerability research to all of open source.

We will continue to work closely with GitHub’s CodeQL teams and the CodeQL community to make high impact CodeQL queries available to maintainers.

Sharing research methodology

As an open source security team, the Security Lab openly shares its audit methodologies and vulnerability research insights with the wider security research community.

From novel approaches to glibc allocator exploitation and exploiting use after free vulnerabilities in Google Chrome, to CodeQL driven code audits, our aim has been to provide transparency of tooling and research approaches so that others can replicate and expand on our work.

Fuzzing

Another mainstay of Security Lab’s bug hunting efforts is fuzzing. The team has delivered several fuzzing workshops at conferences throughout the year as well as shared the details of our fuzzing methodology and tooling with the wider community.

Examples include our popular blog series on fuzzing network software and the release of our custom Android NFC fuzzer which uncovered multiple vulnerabilities in Android’s NFC stack.

Community collaboration

The Security Lab encourages and invites collaboration with the wider security research and developer community. We want to enable other researchers to use our platform to amplify their own work and results.

An example of this is GitHub star Jonathan Leitschuh’s many contributions to open source security through the Security Lab’s bug bounty program and his guest post on the Security Lab blog detailing the results of his own research.

Other areas of community collaboration included helping CERT triage a vulnerability that affected projects across the GitHub platform. As well as participating in a legislative forum on the coordinated disclosure process for the Lithuanian government.

We continue to work closely with outside researchers and organizations to join forces where we can and hope to expand these collaboration efforts in 2021. If you would like to amplify your research through the Security Lab, or otherwise contribute to the open source security mission we would love to hear from you!

Securing the software we use and love

The Security Lab is heavily invested in open source security as a whole and spends large amounts of time hunting for vulnerabilities in the software we depend on ourselves. A great example of this has been the team’s efforts to help secure the Ubuntu ecosystem.

This research resulted in fixing multiple Local Privilege Escalation (LPE) vulnerabilities in Ubuntu’s crash reporting system and most recently an LPE unique to Ubuntu’s implementation of GDM3.

Securing the GitHub platform

The GitHub Security Lab is only one of many security teams at GitHub. While the Security Lab receives public attention due to its outward focus, we want to recognize our colleagues in the GitHub Security Incident Response Team (SIRT) and Application Security team who work tirelessly to secure the GitHub platform itself.

On occasion we get the chance to help out on their GitHub platform security mission as well, as was the case with the response to the Octopus Scanner malware. The Security Lab collaborated with GitHub SIRT after they received an incident report from community member and security researcher @dfir_it about a set of potentially infected repositories. We were able to provide our SIRT and the open source community with a thorough analysis of what appeared to be an organized supply chain attack against developers using the Netbeans IDE.

In addition to sharing our research resources with other GitHub teams, the Security Lab also spent a good amount of time this year reporting CI/CD vulnerabilities to maintainers. We regularly audit project-specific GitHub workflows for vulnerabilities that may leave repositories exposed to abuse and report them directly to maintainers. We will continue this effort in 2021 and scale this work where possible through e.g. CodeQL queries for GitHub workflow vulnerabilities.

Next steps

Our inaugural year has been a great learning experience in terms of how the open source community can benefit from a team like ours. We will expand our variant analysis work, grow our community contributions and collaborations, and most importantly continue to build bridges between the developer and security research community.

A lot of security is social and through our many interactions with maintainers we recognized that there is room to grow the socio-technical understanding of security research. To that end we started a new research effort within the Lab focused specifically on this area to complement our existing security research. This work is aimed at making the interaction between security researchers and project maintainers as positive and productive as possible and we are very excited to share the results of this effort in 2021 with the wider community.

Another area we look forward to focusing on more in 2021 is providing actionable content for developers in terms of defensive programming guidelines as well as security research content that is aimed specifically at a developer and maintainer audience.

As we slowly start to sunset the challenges of 2020 and the silver linings of a new year appear, the Security Lab is excited to take on 2021 with a renewed focus and drive.