How we produce curl to defend it protected in tens of billions of installations

How we produce curl to defend it protected in tens of billions of installations

I’ve talked on this matter sooner than but I realized I by no procedure did a accurate blog put up on the realm. So here it’s: how we produce curl to defend it protected. The matter of supply chain security is particular person that is talked about continuously at the present time and usually there’s a totally mature (commence source) part that will get a awful weak point revealed.

Don’t rep me unsuitable. Proprietary programs have their portion of points to boot, and doubtlessly even extra so, but for obtrusive reasons we by no procedure rep the an identical transparency, well-known functions and perception into those considerations and alternate choices.


curl, in the shape of libcurl essentially, is in reality one of many field’s most in most cases mature application substances. It is assign in in somewhere around ten billion installations world large. It will per chance presumably even be forty billion. No one knows.

If we could rep a extreme vulnerability in curl, it must also doubtlessly exist in every internet-linked arrangement on the globe. We don’t favor that.

A extreme security flaw in our merchandise would be inferior, but we also equally must fabricate sure that that we present APIs and reduction customers of our merchandise to be protected and to make employ of curl safely. To manufacture sure that customers of libcurl don’t by chance stay awake getting security considerations, to doubtlessly the most productive of our skill.

In the curl project, we work hard to by no procedure have our accumulate model of a “heartbleed moment“. How will we construct this?

Consistently enhancing

Our procedure isn’t any longer irregular, irregular or modern. We merely note all most productive practices, instruments and programs that are readily available to us. In all areas. As we scuttle along, we tighten the screws and pork up our procedures, studying from past errors.

There are no instant cuts or silver bullets. Perfect hard work and working instruments.

Now not a coincidence

Getting protected and accumulate code into your product isn’t any longer something that happens by chance. Now we must work on it and we must fabricate a concerned effort. We must care about it.

All of us know this and all people knows straightforward programs on how to construct it, we perfect must fabricate sure that that we also in actuality construct it.

The steps

  1. Write code following the foundations
  2. Overview written code and fabricate sure that it’s obvious and simple to read.
  3. Check the code. Prior to and after merge
  4. Check the merchandise and APIs to rep cracks
  5. Bug-bounty to reward outdoors helpers
  6. Act on errors – on memoir of they’re going to happen


For customers of libcurl we present an API with protected and accumulate defaults as we realize the energy of the default. We also document all the pieces with well-known functions and grab huge pride in having world-class documentation. To slice again the distress of applications turning into unsafe perfect on memoir of our API changed into as soon as unclear.

We also document inner APIs and capabilities to reduction contributors write higher code when enhancing and altering curl.

We don’t allow compiler warnings to remain – on any platform. Here’s in most cases moderately onerous since we invent on this form of ridiculous quantity of programs.

We reduction employ of source code feedback and declare()s to fabricate assumptions obtrusive. (curl is essentially written in C.)

Different of traces of (product) code in the curl project over time.


All code must be reviewed. Maintainers are nevertheless allowed to test and merge their very accumulate pull-requests for real looking reasons.

Code must be straightforward to read and realize. Our code trend must be followed and encourages that: for instance, no assignments in prerequisites, one assertion per line, no traces longer than 80 columns and extra.

Strict compliance with the code trend also procedure that the code will get a float and a constant judge, which makes it more straightforward to read and arrange. Now we have a tool that verifies most substances of the code trend, which takes away most of that duty faraway from humans. I rep that PR authors in most cases grab code trend remarks higher when pointed out by a tool than when humans construct it.

A source code swap is accompanied with a git commit message that must note the template. A constant commit message trend makes it more straightforward to later come lend a hand and are mindful about it accurate when viewing source code historical past.


We favor all the pieces tested.

  • Unit checks. We are attempting at writing increasingly extra unit checks of inner capabilities to fabricate sure that they in reality construct what expected.
  • Blueprint checks. Map accurate community transfers against test servers, and fabricate sure that heaps of eventualities are handled.
  • Integration checks. Check libcurl and its APIs and test that they tackle what they’re expected to.
  • Documentation checks. Check codecs, test references and contaminated-reference with source code, test lists that they consist of all gadgets, test that every man pages have all sections, in the an identical uncover and that they all have examples.
  • “Fix a bug? Add a test!” is a mantra that we don’t repeatedly are residing as a lot as, but we are attempting.

curl runs on 80+ operating programs and 20+ CPU architectures, but we most productive bustle checks on a few platforms. This in most cases works out ravishing on memoir of most of the code is written to bustle on a few platforms so if tested on one, this can also also bustle ravishing on the total heaps of.

curl has a flexible invent arrangement that offers many million heaps of invent combos with over 30 heaps of conceivable third-occasion libraries in a range of model combos. We will not test all invent combos, but we strive to test the total stylish ones and a minimal of 1 for every config likelihood enabled and disabled.

Now we have many checks, but there are sadly silent gaps and well-known functions no longer tested by the test suite. For those issues we merely must depend upon the code review and then that customers legend considerations in the shipped merchandise.

Different of test instances, test recordsdata in actuality, over time.


We bustle the total checks the usage of valgrind to fabricate sure that nothing leaks memory or construct inferior memory accesses.

We invent and bustle with take care of, undefined behavior and integer overflow sanitizers.

We are fragment of the OSS-Fuzz project which fuzzes curl code non-stop, and we bustle CIFuzz in CI builds, which runs “rather” fuzzing on the curl code in the long-established pull-question course of.

We construct “torture making an try out“: bustle a test case as soon as and count the sequence of “fallible” characteristic calls it makes. Those are calls to memory allocation, file operations, socket read/write and heaps others. Then re-bustle the test that in most cases, and for every novel iteration we fabricate every other in reality one of many fallible capabilities fail and return error. Check that no memory leaks or crashes happen. Map this on all checks.

We employ several heaps of static code analyzers to scan the code checking for flaws and we repeatedly repair or in another case tackle every reported defect. Many of them for every pull-question and commit, some are bustle in most cases outdoors of that course of:

  • scan-invent
  • clang clear
  • lgtm
  • CodeQL
  • Mediate
  • Coverity

The accurate space has diverse and can merely continue to fluctuate over time as services come and scuttle.


No matter how hard we are attempting, we silent ship bugs and errors. Most of them pointless to declare benign and distress free but some are no longer. We bustle a bug-bounty program to reward security searchers precise money for reported security vulnerabilities display mask in curl. Until as of late, we have paid nearly 17,000 USD in full and we defend upping the portions for recent findings.

Amassed bug-bounty payouts over time

When we legend security considerations, we fabricate detailed and elaborate advisories to reduction customers realize every delicate part about the realm and we present overview info that shows exactly what versions are weak to which considerations. The curl project objectives to even be a world-leader in security advisories and linked info.

Act on errors

We’re no longer immune, no matter how hard we are attempting. Frightful issues will happen. Once they construct, we:

  • Act straight.
  • Personal the realm, responsibly
  • Fix it and impart it – as soon as conceivable
  • Learn from it
  • Fabricate it more difficult to construct the an identical or identical errors all over again

Does it work? Will we in actuality be taught from our historical past of errors? Per chance. Having our product in ten billion installations isn’t any longer a proof of this. There are some indicators that can also merely display mask we’re doing issues perfect:

  • We were reporting fewer CVEs/year the last few years but in 2021 we went lend a hand up. It would also even be the dwell consequence of additional of us looking out, thanks to the elevated financial rewards offered. At the an identical time the sequence of traces of code have stored rising at a price of around 6,000 traces per year.
  • We rep nearly no points reported by OSS-Fuzz anymore. The first few years it ran it stumbled on many considerations.
  • We are ready to develop our bug-bounty payouts very a lot and now pay a few thousand USD nearly every time. We know of us are looking out hard for security bugs.
Security vulnerabilities. Mounted vs Introduced over time.

Continuous Integration

For every pull-question and commit done in the project, we bustle about 100 heaps of builds + test rounds.

Total sequence of CI builds per pull-question and commit, over time
  • Check code trend
  • Slouch thousands of checks per invent
  • Develop and test on tens of platforms
  • Over twenty hours of CPU time per commit
  • Achieved the usage of several heaps of CI services for optimum performance, widest conceivable coverage and shortest time to completion.

We currently employ the following CI services: Cirrus CI, AppVeyor, Azure Pipelines, GitHub Actions, Circle CI and Zuul CI.

We even have a separate autobuild arrangement with programs bustle by volunteers that checkout doubtlessly the most up-to-the-minute code, invent, bustle the total checks and legend lend a hand in a continuous manner a few instances or perchance as soon as per day.

Current habits past errors have taught us

Now we have done several changes to curve internals as assert reactions to past security vulnerabilities and their root causes. Lessons realized.

Unified dynamic buffer capabilities

At the present time we have a family of capabilities for working with dynamically sized buffers. Be the usage of the an identical space for this performance we have it well tested and we slice again the distress that novel code messes up. Again, nothing innovative or irregular, but as curl had grown organically over the a long time, we stumbled on ourselves instant of cleansing this up in some unspecified time in the future. So we did.

Maximum string sizes

So a lot of past errors came from conceivable integer overflows as a result of libcurl accepting input string sizes of unrestricted lengths and after doing operations on such string sizes, they would in most cases consequence in overflows.

Since a few years lend a hand now, no string passed to curve is allowed to be greater than eight megabytes. This limit is critically arbitrarily space but is intended to be procedure greater than the supreme particular person names and passwords ever mature and heaps others. We can also also change the limit in a future, must we favor. It’s no longer a limit that is uncovered in the API or even talked about. It is there to trap errors and malicious employ.

Dwell faraway from reallocs

Thanks to the previous functions we now steer obvious of realloc to this point as conceivable outdoors of those capabilities. History shows that realloc in mixture with integer overflows had been mighty for us. Now, both reallocs and integer overflows must be powerful more difficult to clutter up.

Code coverage

About a years prior to now we ran code coverage experiences for one invent combo on one platform. This generated a host that in actuality didn’t mean plenty to anyone but as an quite lots of moderately deceive customers to drawing funny conclusions essentially based entirely on the legend. We stopped that. Getting a “full” and manual number for code coverage for curl is hard and no one has yet long gone lend a hand to strive this.

The impact of security considerations

Every now and again somebody discovers a security arena in curl. To this level, those security vulnerabilities had been dinky to obvious protocols and functions that are no longer mature by all people and in many instances even disabled at invent-time amongst many customers. The points also in most cases depend upon either a malicious particular person to be fervent, either in the neighborhood or remotely and for a range of curl customers, the environments it runs in limit that distress.

To this level, I’m no longer attentive to any curl particular person, ever, having been critically impacted by a curl security arena.

Here’s no longer a boom that this can no longer ever happen. I’m most productive pointing out info about the historical past to this level. Security is sizable hard and I will most productive promise that we are going to defend working hard on shipping accumulate merchandise.

Is it provoking?

Changes done to curve code as of late will stay awake in billions of units within a few years. That’s an intimidating indisputable reality that can also in reality fabricate you shy by fear of the distress that the field will “burn” as a result of a mistake of mine.

As antagonistic to instilling fear by this outlook, I’ve the accurate procedure to have it about it, is respecting the difficulty and “shouldering the responsibility”. Fabricate the changes we judge necessary, but fabricate them in accordance with the programs, note the foundations and belief that the arrangement we have setup is more possible to detect nearly every conceivable mistake sooner than it ever reaches a liberate tarball. And not using a doubt we slouch holes in the test suite that we remark or suspect along the procedure in which.

The lend a hand-door possibility

I blogged about that no longer too prolonged prior to now. I’ve a mistake is powerful extra more possible to maneuver-in and rep shipped to the field than a deliberate lend a hand-door is.

Reminiscence protected substances could presumably reduction

By rewriting substances of curl to make employ of memory protected substances, comparable to hyper for HTTP, we are able to be ready to extra slice again the distress of future vulnerabilities. That’s a prolonged game to fabricate actuality. This could well presumably also even be hard in due course to in actuality measure and repeat pointless to declare if it in reality made an impact.

How are you able to reduction out?

  1. Pay for a curl give a boost to contract. Here’s what permits me to work plump time on curl.
  2. Back out with opinions and including novel checks to curve
  3. Back out with fixing points and enhancing the code
  4. Sponsor curl
  5. Document all bugs you rep
  6. Upgrade your programs to bustle up-to-the-minute curl versions

Credit score

Image by Dorian Krauss from Pixabay



Hey! look, i give tutorials to all my users and i help them!

you're currently offline