Google has released the source code to Project Wycheproof in an effort to improve the security of cryptographic software libraries and head the next Freak TLS or Heartbleed vulnerability off at the pass.
Named for the smallest mountain in the world - because 'the smaller the mountain the easier it is to climb it
', Google's Daniel Bleichenbacher and Thai Duong explained in a joint launch statement
- Project Whycheproof takes the form of a series of security tests designed to check cryptographic libraries for known weaknesses. Using these tests, those developing around cryptographic libraries - modules of code which provide encryption, decryption, hashing, verification, and other security-related functionalities, designed to be plugged into any software which requires such - should be able to automatically check to see if they are affected by these known vulnerabilities and, if so, to develop a fix.
Based on publicly disclosed vulnerabilities as well as not-yet-disclosed flaws uncovered by its Project Zero initiative, Google's initial release of Project Wycheproof includes 80 test cases which have already found 40 security bugs in popular cryptographic libraries.
'In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long,
' Google's researchers explained, referring in part to bugs like that discovered in OpenSSL back in June 2014
which could be traced back to the software's very first public release. 'Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognise that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means.
'These observations have prompted us to develop Project Wycheproof, a collection of unit tests that detect known weaknesses or check for expected behaviours of some cryptographic algorithm. Our cryptographers have surveyed the literature and implemented most known attacks. As a result, Project Wycheproof provides tests for most cryptographic algorithms, including RSA, elliptic curve crypto, and authenticated encryption.
Project Whycheproof can be downloaded now, under the Apache Licence v2.0, from Google's GitHub repository