Unbound version 1.9.6 improved following security audit
"Whenever you add new features, it's inevitable that you add new bugs to your code as well"
The Unbound validating resolver has undergone a security audit. One critical, five high-severity, five medium-severity and several dozen other bugs and issues were flagged up. A security patch for the critical bug was applied in version 1.9.5 of Unbound, and fixes for the other issues in version 1.9.6. A total of forty-eight corrections were made.
The audit was designed to locate bugs and weaknesses in the (open) source code that could impact the security of servers running Unbound. The exercise involved a combination of manual code auditing (reading the source code), fuzzing (automatically generating random input) and static analysis (analysing the source code using tools).
New features, new bugs
"Our programmers are of course very good," says Benno Overeinder, Director of NLnet Labs, "and Unbound is developed with security in mind. Security thinking starts with the architecture and continues right through to the code. However, programmers are only human, and sometimes they overlook things. Whenever you add new features, it's inevitable that you add new bugs to your code as well." "When fixing minor issues, we don't do a code review. However, we're now adding several major new features (RPZ and serve-stale), which together represent several months' work. With features like that, we begin with high-level developers' meetings. The process ends with a git pull, after which the code can be reviewed by others."
The Unbound audit was funded by the Open Source Technology Improvement Fund (OSTIF). The money ($139,000) was raised earlier in the year by crowdfunding [1, 2]. The biggest donors were VPN provider Private Internet Access (PIA) and certificate supplier Let's Encrypt. The audit was performed by X41 D-Sec GmbH in Germany. It involved five people working a total of forty-four person-days. The full audit report is available here. It includes details of a serious bug previously found by X41, which was fixed in version 1.9.4 of Unbound.
NLnet Labs involved all the Unbound developers in the audit from the start. "The bugs flagged up by X41 were fixed and published immediately," says Senior Developer Wouter Wijngaards. "X41 told us that that doesn't happen very often. That's why they sent us other fixes as well." While some software developers and suppliers regard bug reports as attacks on their quality and brand, Overeinder asserts that his team is pleased to receive them. "Maximum transparency is in our interests and we take bug reports very seriously. They make our code better." "Wherever lessons can be learned from the audit, we've taken those lessons on board," Wijngaards adds. "For example, I'm now paying more attention to integer overflows." Over time, great improvements have also been made in terms of static analysis of the source code. "When we started with Unbound ten years ago, we were still using lint, but now we use Clang tools."
X41 also wants to donate a number of the fuzzers they have developed to the Unbound project in the form of open-source code. "The fuzzers in question are specialised extensions to OSS-Fuzz, which we can include in the contrib/ section of our software," explains Wijngaards. "That will ultimately make it easier for the community to test Unbound." The NLnet Labs team doesn't intend to do any fuzzing itself, however. "It's extremely painstaking work. But there are researchers at universities and specialists in the community who do fuzzing. Last summer, someone sent us a fuzz fix for NSD, for example."
Unbound in OpenBSD
Unbound has been the default resolver in OpenBSD and numerous other Unix-like system for a while. From version 6.7 of OpenBSD, not only is Unbound included in the distribution, but DNSSEC validation is also enabled by default. OpenBSD is regarded as the most secure operating system around and serves as the source for countless security technologies that over time find their way into other operating systems.