David A. Wheeler's Blog

Wed, 04 May 2016

Get your CII best practices badge!

If you’re involved in a free / libre / open source software (FLOSS) project, go to bestpractices.coreinfrastructure.org and get your best practices badge!

The Linux Foundation’s Core Infrastructure Initiative (CII) has just announced its CII best practices badging program for FLOSS projects. It’s a free program that lets developers explain how they follow best practices, and if they do, they can get a badge that they can show on their GitHub page or anywhere else. Early badge earners include the Linux kernel, Curl, GitLab, OpenBlox, OpenSSL, Node.js and Zephyr.

The idea is straightforward. The Heartbleed vulnerability in OpenSSL made it obvious that there are widely-accepted best practices that not everyone is doing - and that even includes important projects. This isn’t just speculation; if you compare OpenSSL before Heartbleed with current OpenSSL the difference is striking. I think it’s clear that if more projects would apply generally-accepted best practices, we’d have more secure software. This badging process helps projects identify those best practices, determine if they meet them, and show everyone else that they’re meeting them.

The web application and criteria are being maintained as an open source software project, so we’d love to have you! I say “we” because I’m leading this project… but it’s not just me, and we would love to have you involved.

More detail is in the Linux Foundation press release about the best practices badging project.

path: /oss | Current Weblog | permanent link to this entry

Thu, 10 Mar 2016

US government - Reusable and Open Source Software

The US White House has announced (in its blog) Leveraging American Ingenuity through Reusable and Open Source Software. They state that, “Today, we’re releasing for public comment a draft policy to support improved access to custom software code developed for the Federal Government.” They are accepting comments on this draft policy via GitHub pull requests, GitHub issues, or email. I definitely plan to take a look, and I’m sure they would like feedback from many people.

Note that I also posted this information on Twitter.

path: /oss | Current Weblog | permanent link to this entry

Mon, 01 Feb 2016

Using open source software to help technology transition of research

If you’re doing software research and development (especially on how to improve computer security), and are thinking about using an open source software (OSS) approach but don’t know a lot about it, here’s something that may help: Using an Open Source Software Approach for Cybersecurity Technology Transition (IDA paper P-5279, aka the “PI guide”). If you’re an old hand at developing Free/ libre/ open source software (FLOSS or OSS), you probably know most of this information. However, I’ve found that a lot of people could use a hand. Here’s that helping hand.

path: /oss | Current Weblog | permanent link to this entry

Fri, 09 Oct 2015

Government adoption of OSS

If you’re interested in open source software (OSS), or in how governments can work better, take a look! Mark Bohannon has posted the article “U.S. report highlights positive elements of government open source adoption” on Opensource.com. This discusses a paper Tom Dunn and I wrote Open Source Software in Government: Challenges and Opportunities, and discusses a few things that have happened since. Enjoy!

path: /oss | Current Weblog | permanent link to this entry

Wed, 30 Sep 2015

Reveloping open source software in Linux Foundation projects: $5 billion and 30 years

The Linux Foundation now estimates it would cost $5 billion and 30 years to redevelop “the software residing in The Linux Foundation’s collaborative projects”. That’s not even all free / libre / open source software (FLOSS). Of course, there are many caveats, but that’s still an intriguing number; it provides a simple view of just how big FLOSS has become. They also credit me, since they applied the same general process I developed earlier in my “More than a Gigabuck” paper. Thanks! If you’re interested in FLOSS, I think you’ll find this paper intriguing.

path: /oss | Current Weblog | permanent link to this entry

Fri, 27 Mar 2015

Z3 is OSS!

Z3 has been released as open source software under the MIT license! This is great news. Z3 is a good satisifiability modulo theories (SMT) solver / theorem prover from Microsoft Research. An SMT solver accepts a set of constraints (such as “a<5 and a>1”) and tries to produce values that satisfy all the constraints. A satisfiability (SAT) solver does this too, but SAT solvers can only work with boolean variables; SMT solvers can handle other types, such as integers. Here is a Z3 tutorial.

SMT solvers are basically lower-level tools that have many uses for building larger capabilities, because many problems require solving logical formulas to find a solution.

I am particularly interested in the use of SMT solvers to help prove that programs do something or do not do something. Why3 is a platform that lets you write programs and their specifications, and then calls out to various provers to try to determine if the claims are true. By itself Why3 only supports its WhyML language, but Why3 can be combined with other tools to prove statements in other languages. Those include C (using Frama-C and a plug-in), Java, and Ada. People have been able to prove tiny programs for decades, but scaling up to bigger programs in practice requires a lot of automation. I think this approach of combining many different tools, with different strengths, is very promising.

The more tools that are available to Why3, the more likely it will solve problems automatically. That’s because different tools use different heuristics and focus on different issues, resulting in different ones being good at different things. There are already several good SMT solvers available as OSS, including CVC4 and alt-ergo.

Now that Microsoft has released Z3 as OSS, there is yet another strong OSS SMT solver that tools like Why3 can use directly. In short, the collection of OSS SMT solvers has just become even stronger. There’s a standard for SMT solver inputs, the SMT-LIB format, so it’s not hard to take advantage of many SMT solvers. My hope is that this will be another step in making it easier to have strong confidence in software.

path: /oss | Current Weblog | permanent link to this entry

Mon, 20 Oct 2014

Open Source Software in U.S. Government

The report “Open Source Software in Government: Challenges and Opportunities” is available to the public (you can jump to the “Download full report” link at the bottom). This paper, which I co-authored, discusses key challenges and opportunities in the U.S. government application of open source software (OSS). It became publicly available only recently, even though it was finished a while back; I hope it’s been worth the wait. If you’re interested in the issues of OSS and government, I think you’ll find this report very illuminating.

path: /oss | Current Weblog | permanent link to this entry

Wed, 21 May 2014

On Dave and Gunnar show

There is now an interview of me on the Dave and Gunnar show (episode #51). I talk mostly about How to prevent the next Heartbleed. I also talk about my FLOSS numbers database (as previously discussed) and vulnerability economics. There was even a mention of my Fully Countering Trusting Trust through Diverse Double-Compiling work.

Since the time of the interview, more information has surfaced about Heartbleed. Traditional fuzzing could not find Heartbleed, but it looks like some fuzzing variants could even if the OpenSSL code was unchanged; see the latest version for more information. If you learn more information relevant to the paper, let me know!

path: /oss | Current Weblog | permanent link to this entry

Thu, 08 May 2014

FLOSS numbers database!

If you are doing research related to Free / Libre / Open Source Software (FLOSS), then I have something that may be useful to you: the FLOSS numbers database.

My paper Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers! is a big collection of quantitative studies about FLOSS. Too big, in fact. There have been a lot of quantitative studies about FLOSS over the years! A lot of people want to query this information for specific purposes, and it is hard to pull out just the parts you want from a flat document. I had thought that as FLOSS became more and more common, fewer people would want this information… but I still get requests for it.

So I am announcing the FLOSS numbers database; it provides the basic information in spreadsheet format, making it easy to query for just the parts you want. My special thanks go to Paul Rotilie, who worked to get the data converted from my document format into the spreadsheet.

If you want to discuss this database, I have set up a discussion group: Numbers about Free Libre Open Source Software. If you are doing research and need or use this kind of information, please feel free to join. If you just need a presenatation based on this, you might like my Presentation: Why Free-Libre / Open Source Software (FLOSS or OSS/FS)? Look at the Numbers!.

This database is the sort of thing that if you need it, you really need it. I am sure it is incomplete… but I am also sure that with your help, we can make it better.

path: /oss | Current Weblog | permanent link to this entry

Thu, 24 Apr 2014

Opensource.com interview

Opensource.com has posted an interview of me, titled “US government accelerating development and release of open source”. In this interview I describe the current state of the use of open source software by the US federal government, the challenges of the Federal acquisition system, and I also discuss what may happen next. Enjoy!

path: /oss | Current Weblog | permanent link to this entry

Thu, 20 Feb 2014

Presenting at American Society for Quality

On February 25, 2014, I will be presenting on “Open Source Software and Government” at the American Society for Quality (ASQ) Software SIG. You can join in person in McLean, Virginia; there will also be various video tele-conferencing sites, and you can join by phone or online as well.

If you’re interested, you’re welcome to join us, but you’ll need to pre-register.

path: /oss | Current Weblog | permanent link to this entry

Fri, 07 Feb 2014

William W. McCune: He made the world a better place through source code

Here I want to honor the memory of William W. (“Bill”) McCune, who helped change the world for the better by releasing software source code. I hope that many other researchers and government policy-makers will follow his lead… and below I intend to show why.

But first, I should explain my connection to him. My PhD dissertation involved countering the so-called “trusting trust” attack. In this attack, an attacker subverts the tools that developers use to create software. This turns out to be a really nasty attack. If a software developer’s tools are subverted, then the attacker actually controls the computer system running the software. This is no idle concern, either; we know that computers are under constant attack, and that some of these attacks are very sophisticated. Such subversions could allow attackers to essentially control all computers worldwide, including the global financial system, militaries, electrical systems, dams, you name it. That kind of power makes this kind of attack potentially worthwhile, but only if it cannot be detected and countered. For many years there were no good detection mechanisms or countermeasures. Then Henry Spencer suggested a potential solution… but there was no agreement that his idea would really counter attackers. That matters; how can you be absolutely certain about some claim?

The “gold standard” for knowing if something is true is a formal mathematical proof. Many important questions cannot be proved this way, all proofs depend on assumptions, and creating a formal proof is often hard. Still, a formal mathematical proof is the best guarantee we have for being certain about something. And there were a lot of questions about whether or not Henry Spencer’s approach would really counter this attack. So, I went about trying to prove that Henry Spencer’s idea really would counter the attack (if certain assumptions held).

After trying several other approaches, I found that the tools developed by Bill McCune (in particular prover9, mace4, and ivy) were perfect for my needs. These tools made my difficult work far easier, because his tools managed to mostly-automatically prove claims mathematically once they were described using mathematical statements. In the end, I managed to mathematically prove that Henry Spencer’s approach really did counter the subverted compiler problem. The tools Bill McCune developed and released made a real difference in helping to solve this challenging real-world problem. I didn’t need much help (because his tools were remarkably easy to use and well-documented), but he responded quickly when I emailed him too.

Sadly, Bill McCune suddenly died on May 4, 2011, leaving the field of automated reasoning deprived of one of its founders (particularly in the subfields of practical theorem proving and model building). In 2013 an academic book was released in his honor (“Automated Reasoning and Mathematics: Essays in Memory of William W. McCune”, Lecture Notes in Artificial Intelligence 7788). That book’s preface has a nice tribute to Bill McCune, listing some of his personal accomplishments (e.g., the development of Otter) and other accomplishments that his tools enabled.

Bill McCune released many tools as open source software (including prover9, mace4, ivy, and the older tool Otter). This means that anyone could use the software (for any purpose), modify it, and distribute it (with or without modification). These freedoms had far-reaching effects, accelerating research in automated proving of claims, as well as speeding the use of these techniques. That book’s preface notes several of Bill McCune’s accomplishments, including the impact he had by releasing the code:

All too often the U.S. government spends a fortune in research, and then that same research has to be recreated from scratch several times again by other researchers (sometimes unsuccessfully). This is a tremendous waste of government money, and can delay work by years (if it can happen at all) resulting in far less progress for the money spent. Bill McCune instead ensured that this results got out to people who could use and improve upon them. In this specific area Bill McCune made software research available to many others, so that those others could use it, verify it, and build on top of those results.

Of course, he was not alone in recognizing the value of sharing research when implemented as software. The paper ”The Evolution from LIMMAT to NANOSAT” by Armin Biere (April 2004) makes the same point when they tried to reproduce others’ work. That paper states, “From the publications alone, without access to the source code, various details were still unclear… what we did not realize, and which hardly could be deduced from the literature, was [an optimization] employed in GRASP and CHAFF [was critically important]… Only [when CHAFF’s source code became available did] our unfortunate design decision became clear… The lesson learned is, that important details are often omitted in publications and can only be extracted from source code. It can be argued, that making source code … available is as important to the advancement of the field as publication.”

More generally, Free the Code.org argues that if government pays to develop software, then it should be available to others for reuse and sharing. That makes sense to me; if “we the people” paid to develop software, then by default “we the people” should receive it. I think it especially makes sense in science and research; without the details of how software works, results are not reproduceable. Currently much of science is not reproduceable (and thus not really science), though open science efforts are working to change this.

I think Bill McCune made great contributions to many, many, others. I am certainly one of the beneficiaries. Thank you, Bill McCune, so very much for your life’s work.

path: /oss | Current Weblog | permanent link to this entry

Sun, 01 Dec 2013

Shellcheck

I just learned about shellcheck, a tool that reports on common mistakes in (Bourne) shell scripts. If you write shell scripts, you should definitely check out this static analyzer. You can try it out by pasting shell scripts into their website. It is open source software, so you can also download and use it to your heart’s content.

It even covers some of the issues identified in Filenames and Pathnames in Shell: How to do it Correctly. If you are interested in static analyzers for software, you can also see my Flawfinder home page which identifies many other static analysis tools.

path: /oss | Current Weblog | permanent link to this entry

Wed, 21 Aug 2013

Open security

Modern society depends on computer systems. Yet computer security problems let attackers subvert the very systems that society depends on. This is a serious problem.

I think one approach that could help is “open security” - applying open source software (OSS) approaches to help solve computer security problems. To see why, let’s look at some background.

Back in the 1970s people collaboratively developed software that today we would call open source software or free-libre software. At the time many assumed these approaches could not scale up to big systems… but they were wrong. Software systems that would cost over a billion U.S. dollars to redevelop have been developed as open source software, and Wikipedia has used similar approaches to collaboratively develop the world’s largest encyclopedia.

So… if we can collaboratively develop multi-billion software systems, and large encyclopedias, can we use the same kinds of collaborative approaches to improve computer security? I believe we can… but if we are going to do this, we need to define a term for this (so that we can agree on what we are doing!).

I propose that open security is the application of open source software (OSS) approaches to help solve cyber security problems. OSS approaches collaboratively develop and maintain intellectual works (including software and documentation) by enabling users to use them for any purpose, as well as study, create, change, and redistribute them (in whole or in part). Cyber security problems are a lack of security (confidentiality, integrity, and/or availability), or potential lack of security (a vulnerability), in computer systems and/or the networks they are a part of. In short, open security improves security through collaboration.

You can see more details in my paper What is open security? [PDF] [DOC]. I intentionally built on previous work such as the Free Software Definition by the Free Software Foundation (FSF), the Open Source Definition (Annotated) by the Open Source Initiative (OSI), the Creative Commons license work, and the Definition of Free Cultural Works by Freedom Defined (the last one is, for example, the basis of the Wikimedia/Wikipedia licensing policy).

The Open security site has been recently set up so that you and others can join and get involved. So please - get involved! We are only just starting, and the direction we go depends on the feedback we get.

Further reading:

path: /oss | Current Weblog | permanent link to this entry

Tue, 30 Apr 2013

OSS License Clinic

If you’re interested in understanding the legal, contract, or government acquisition issues in applying free / libre / open source software (FLOSS), come to the “Open Source License Clinic” on May 9, 2013, 9am-noon (EDT), in Washington, DC. This clinic will be hosted by the non-profit Open Source Initiative (OSI), and is “designed as a cross-industry, cross-community workshop for legal, contract, acquisition and program professionals who wish to deepen their understanding of open source software licenses, and raise their proficiency to better serve their organizations objectives as well as identify problems which may be unique to government. Discussion of licenses and issues in straight-forward terms make the clinic of value to anyone involved in the lifecycle of a technology decision/acquisition or strategy for internal software development.”

I’m one of the speakers, along with:

The location for the license clinic will be:

101 Independence Ave SE
Madison Building, 6th Floor, Dining Room A
Washington, DC 20540

You might also be interested in the Open Source Community Summit on May 10 (the following day) in Washington, DC.

path: /oss | Current Weblog | permanent link to this entry

Thu, 21 Mar 2013

French government OSS policy

Free/libre/open source software (FLOSS) continues to grow around the world, and governments around the world are trying to establish policies about it. Yet in the U.S. we often don’t hear about them. I just posted about a UK policy; here’s a recent French policy, translated into English.

The French administration, in September 2012, established a set of guidelines and recommendations on the proper use of Free Software (aka open source software) in the French government. This is called the “Ayrault Memorandum” (circulaire Ayrault, in French) and was signed in September 2012 by the French Prime Minister. The document was mainly produced by the DISIC (the Department of Interministerial Systems Information and Communication) and the CIOs of some departments. The DISIC is in charge of coordinating the administration actions on information systems.

path: /oss | Current Weblog | permanent link to this entry

Mon, 18 Mar 2013

UK Government prefers OSS

The UK government is mandating a “preference” for open source software in its Government Service Design Manual Open Source section, to be effective April 2013. The draft manual says, “Use open source software in preference to proprietary or closed source alternatives, in particular for operating systems, networking software, web servers, databases and programming languages.”

path: /oss | Current Weblog | permanent link to this entry

Tue, 22 Jan 2013

Speaking at ACM DC Chapter

FYI, on 2013-03-04 I plan to speak about “Open Source Software, Government, and Cyber Security” at the Association for Computing Machinery (ACM), Washington, DC Chapter. It will be at 1203 19th St, 3rd Floor, Washington, DC. See the link for more information.

path: /oss | Current Weblog | permanent link to this entry

Ozone Widget Framework (OWF) released as OSS!

The Ozone Widget Framework (OWF) has recently been released as open source software (OSS) by the U.S. government. OWF is useful but a little tricky to explain; as their website explains, OWF is a web application that “allows users to easily access all their online tools from one location… [users can] access websites and applications with widgets [and] group them and configure … applications to interact with each other via widget intents”. Go see their website to learn more about it; here, I’ll talk about the wider implications of OWF.

To me, OWF is interesting on several fronts.

From potential user’s point of view, this is great news. If you want something like this, well, now you can easily get it. If you’re outside the U.S. government, you’ve never had this program at all before. But even for those inside the U.S. government, this release makes OWF far easier to get, use, and improve if necessary.

But from the point-of-view of collaborative software development, this is a much bigger deal. The government all too often pays money to develop software on one project, and then re-pays to develop that software again on any other project that needs it. In the rare cases where reuse happens at all, the government makes it hard for others in the government to improve it as needed. The government often talks about “public/private partnerships”, and such partnerships are a good idea… but all too often this doesn’t happen in software development.

Here we have an awesome change. Per their original plans and a Congressional mandate, OWF is now released to the public. This means that instead of the government having to re-develop the code for every use, and for the public to have to re-develop it as well, “we the people” who paid to develop the software can actually get it.

What’s more, OWF has avoided some of the terrible mistakes that have hurt some past efforts:

  1. Sometimes software developed via government funding gets “captured” by one vendor, so that even though the government paid to have it developed, essentially no one else has the right or ability to maintain it. Once it’s captured, the cost of maintaining the software skyrockets. By releasing the software as OSS, the OWF project has avoided that problem. Instead, the OWF project can get wide use and improvements from around the world.
  2. OWF has wisely released the software under an industry-standard OSS license (in this case, Apache 2.0), instead of writing some government-unique non-standard license. Nearly all OSS is licensed under a few licenses (GPL, LGPL, BSD-new, MIT, Apache 2.0); using nonstandard or incompatible licenses greatly impedes any possibility of collaboration.
  3. Second, OWF has wisely chosen to use a widely-used repository and development infrastructure (in this case, GitHub), instead of unnecessarily developing and maintaining its own.

The U.S. federal government was formed by “we the people”. It’s great to see the government releasing software back to the people; in the end, we’re the ones who paid to develop it. I wish the OWF project the best of success, and I hope that there will be many similar OSS projects to come.

path: /oss | Current Weblog | permanent link to this entry

Fri, 20 Jul 2012

Release government-developed software as OSS

I encourage people to sign the white house petition to Maximize the public benefit of federal technology by sharing government-developed software under an open source license. I, at least, interpret this to include software developed by contractors (since they receive government funding). I think this proposal makes sense. Sure, some software is classified, or export-controlled, or for some other specific reason should not be released to the public. But those should be exceptions. If we the people paid to have it developed, then we the people should get it!

It is true that many petitions do not get action right away, but that isn’t taking the long view. Often an issue has to be repeatedly raised before anything happens. So just because something doesn’t happen once doesn’t mean it was a waste of time. The Consumer Financial Protection Bureau has a “default share” policy so it is possible.

path: /oss | Current Weblog | permanent link to this entry