Building Trust Within Open Source Software

Key Takeaways:

• Open source software relies on trust to ensure code integrity and security. However, bad actors can exploit vulnerabilities or introduce malicious code, breaking user trust.
• Open source benefits from transparency, allowing for extensive peer review. This can identify and fix vulnerabilities, ultimately strengthening security.
• Verifying the identity and intentions of contributors in the open-source community is complex, often due to the use of pseudonyms and the decentralized nature of contributions.

 

Open Source Software (OSS) refers to software that is freely available for anyone to use, modify, and distribute. This approach to software development generates significant economic value annually, with the demand-side worth estimated at $8.8 trillion and the supply-side around $4.5 billion.  The growth of open source software continues as technological developments increasingly favor open source methods, particularly in blockchain projects. Open source is crucial in today’s society because it democratizes access to technology, creating a transparent and collaborative environment. Developers worldwide can collaborate, innovate, and build on each other’s work, accelerating software development and producing more secure solutions.

The Concept of Trust In Open Source Software Development

Richard Stallman initiated the “Free Software Movement,” emphasizing the importance of freedom in software. He believed that software should respect users’ rights to run, study, modify, and distribute it. Stallman argued that proprietary software often restricts users’ freedoms and can lead to social injustices. By promoting free software, Stallman aimed to create a community where developers and users collaborate for the common good, ensuring software serves everyone’s needs and upholds social justice. This ideology fostered a community of passionate people who trust each other through shared expertise.

An excerpt from Mike Bursell’s book “Trust in Computer Systems and The Clouds” states, “the more we get involved in open source, the more trust we can have in open source, as there will be a corresponding growth in the involvement—and therefore trust—of other people in open source. Trust in open source isn’t just a network effect: it’s a positive feedback loop!”

How Trust Is Built in Open Source Software Communities

The community born from building open source software creates inherent trust in the system. Here are different perspectives on how trust manifests in open source:

• Trust in the Community: Open source projects rely on trust within the community of developers, contributors, and users. Developers trust that their contributions will be valued, while users trust the software’s reliability and security.
• Trust in the Code: The transparency of open source code allows users and developers to inspect it for security vulnerabilities and bugs, building trust in the software’s reliability.
• Trust in the Process: Open source development often follows a consensus-based decision-making process. Contributors trust that decisions are made in the project’s best interest, based on merit and community feedback.
• Trust in the License: Open source licenses define how the software can be used, modified, and distributed. Users and developers trust that the license terms will be upheld, ensuring the project remains open.

How Bad Actors Exploit Open Source Software Trust Systems

Bad actors can exploit the trust system in open source software for selfish gains. They can deceptively join a software development community and become active contributors, earning the trust of other developers with the long-term goal of introducing vulnerabilities, backdoors, or other forms of malicious code into the project.

A recent example involves a backdoor discovered that could potentially compromise SSH logins on Linux systems.  SSH, or Secure Shell, is a cryptographic network protocol used for secure communication over an unsecured network, providing administrators or users with secure remote access to computers or systems. The following summarizes the bad actor’s strategy based on the Hackaday situation report:

1. Malicious Code Insertion: The bad actor inserted a backdoor that could compromise SSH logins on Linux systems. They disguised the malicious code as test files in the release tarballs (archive files), making it difficult to detect.
2. Disguising Malicious Activity: By using test files as a disguise, the malicious code remained hidden from casual inspection of the repository, only revealing itself when the release tarballs were downloaded and examined.
3. Misdirection: The bad actor attempted to mislead the community by claiming that an unrelated bug caused the detected errors, deflecting attention from the malicious code they had inserted.

These approaches are not limited to creating backdoors in Linux systems but can apply to any open source software. This places significant responsibility on the administrators of any open source project and the community at large to remain vigilant and conduct thorough reviews of contributions to prevent such exploits.

The Identity Challenge in Open Source Software

Identity, privacy protection, and combating bad actors are complex, intertwined challenges within the open source community. As an open community, it is crucial to protect users’ privacy, which leads many users to embrace anonymity and pseudonyms. However, this anonymity can create opportunities for bad actors to disguise themselves as contributors, potentially infiltrating the community as moderators or code maintainers. Establishing and verifying identities is complex due to the distributed and often anonymous nature of contributions.

Companies worldwide, from small businesses to multimillion-dollar enterprises, frequently use open source software. Data shows that 99% of Fortune 500 companies use at least one open source software. This widespread use makes the open-source community an attractive target for bad actors. These bad actors can exploit the community’s acceptance of pseudonyms, potentially gaining positions of influence. If successful, they could plant malware capable of affecting numerous companies.

Challenges in Verifying the Identity of Open Source Maintainers

Incorrectly verifying the identity and intentions of maintainers can pose significant security risks to open source projects and their users. Malicious actors may exploit these vulnerabilities to gain access and introduce harmful code. However, verifying identities in open source communities is challenging due to several factors:

• Pseudonyms and Anonymity: Many contributors and maintainers use pseudonyms or basic alphanumeric usernames, making it difficult to verify their real identities. This anonymity can be intentional in open source communities to protect contributors’ identities, particularly in regions with privacy, security, or political issues.
• Community Dynamics: Open source communities are diverse and decentralized, with varying levels of formality and governance structures. This diversity can complicate the establishment of standardized processes for verifying identities.
• Global and Distributed Nature: Open source projects often involve contributors from around the world, making it challenging to verify identities across different jurisdictions and cultures. Differing legal frameworks can further complicate identity verification.
• Trust and Reputation: Verifying the intentions of maintainers often relies on trust and reputation within the community. A user’s history on the platform or within the community can serve as a digital testament to their trustworthiness. However, trust is subjective and can be challenging to assess, especially for new or unknown contributors.

Social Engineering Threats in Open Source Software

Identity verification issues and the possible ill intentions of some code maintainers make it crucial to understand how social engineering can introduce vulnerabilities into open-source software. Here are some common techniques:

Contributor Impersonation

Attackers may pose as legitimate contributors or maintainers to gain administrative access to an open-source project’s code repository. Once inside, they can plant vulnerabilities or malicious code, which might only be detected after thorough reviews.

False Bug Reports

By submitting false bug reports or feature requests that appear legitimate, attackers can introduce vulnerabilities into the codebase. Project maintainers may unknowingly accept these requests, leading to the integration of insecure code.

Malicious Code Contributions

Attackers may submit malicious code disguised as legitimate enhancements or bug fixes. If not carefully reviewed, these contributions can introduce vulnerabilities into the codebase.

Fake Documentation

Submitting fake documentation or code samples that include vulnerabilities is another tactic. Developers might unitentionally introduce vulnerabilities to their projects based on this misinformation. For example, an attacker might submit documentation for a new feature that claims to improve performance but includes a backdoor for unauthorized access. If the maintainer incorporates this code, it could introduce security vulnerabilities.

Phishing Attacks

Attackers may use phishing attacks to trick developers into disclosing their credentials or other sensitive information. With this information, attackers can gain unauthorized access to the code repository or other sensitive segments of the particular open-source project.

Mitigating Risks in Open Source

To mitigate these risks, open source projects should have: 

• Robust Review Processes: Establish comprehensive review processes for both code and documentation changes. These reviews should ensure accuracy, security, and freedom from vulnerabilities introduced by malicious actors.
• Cautious Contribution Acceptance: Exercise caution when receiving code contributions or documentation from unfamiliar or untrusted sources. Conduct thorough and independent verification of the sources and information before implementation.
• Enhanced Security Protocols: Develop and maintain strong security protocols. This includes regular security audits and updates to detect and prevent malicious activities.
• Community Vigilance: Foster a culture of vigilance and responsibility within the open source community. This will enable the community to promptly identify and address suspicious activities.

Impacts of Attacks on Open Source Projects 

According to the OSSRA report, more applications in 2024 contain more open source code than proprietary code, with a 57% increase between 2017 and 2018, and even higher figures in 2024. This trend raises concerns that attacks on open-source code can pass into proprietary software, significantly affecting its functionality. A successful attack on an open source project can have extensive repercussions. The following are key impacts of such attacks:

Financial Losses

Attacks on open source software can lead to substantial financial losses for organizations relying on the software. For example, the Apache Struts vulnerability exploited in the 2017 Equifax data breach resulted in financial losses exceeding $425 million for the company. With 147 million individuals affected, it remains one of the biggest data breaches in American history.

Data Breaches

Attackers may exploit vulnerabilities in open-source software to gain unauthorized access to sensitive data. The Equifax data breach and the 2014 Heartbleed vulnerability in the OpenSSL library are notable examples. These incidents allowed attackers to steal private keys, user credentials, and other sensitive information from affected systems.

Compromised Trust

A successful attack can undermine trust in the software and its developers. Users may be less likely to use or contribute to the project if they perceive it as insecure or unreliable. In 2021, companies such as Twilio, HashiCorp, Mozilla, and Rapid7 were victims of the compromised Codecov Bash Uploader. This incident led to widespread concerns about the security of open-source supply chain attacks.

System Failures

Attacks on open source software can result in system failures or downtime. For instance, the Mirai botnet exploited vulnerabilities in open-source software to launch massive distributed denial-of-service (DDoS) attacks, disrupting internet services worldwide.

Reputation Damage

A successful attack can damage the reputation of the open-source project and its developers, affecting their ability to attract users, contributors, and funding. For example, the compromise of the npm package event-stream led to concerns about the security of the Node.js ecosystem.

Consequences of Broken Trust in Open Source

The open-source community operates on trust, and when this trust is broken, it can have significant consequences for organizations, individual users, developers, and the broader software ecosystem. Here are a few of these consequences:

• Stagnation of Innovation: Trust is essential for collaboration and future development in open source software. When trust is compromised, developers may be less willing to collaborate with others, leading to stagnation and slowed innovation within projects.
• Adoption Issues: Negative publicity often spreads quickly. This means that the effects of broken trust due to compromised code maintainers or other vulnerabilities can spread faster than usual, adversely affecting the adoption of the open source project.
• Security Vulnerabilities: Broken trust can lead to security vulnerabilities for users. If users no longer trust the integrity of the code or the project maintainers, they may be less likely to update to the latest versions of the software, leaving them vulnerable to known security issues.
• Loss of Confidence: When trust is broken, users may lose confidence in the software and its developers. This can result in a loss of users and contributors, negatively impacting the project’s sustainability and viability.

Conclusion

However, this openness also presents challenges, particularly regarding trust and security. A balanced approach is essential, emphasizing the importance of transparency, accountability, and collaboration in open source development. Increased efforts are needed to build and maintain trust within the open-source community, recognizing that trust is not just a technological issue but also a social one. By addressing identity-based security risks and fostering a culture of trust and collaboration, the continued success of open source software can be ensured for years to come.

Identity.com

Identity.com, as a future-oriented organization, is helping many businesses by giving their customers a hassle-free identity verification process. Our organization envisions a user-centric internet where individuals maintain control over their data. This commitment drives Identity.com to actively contribute to this future through innovative identity management systems and protocols.

As members of the World Wide Web Consortium (W3C), we uphold the standards for the World Wide Web and work towards a more secure and user-friendly online experience. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more information about how we can help you with identity verification and general KYC processes.