Security Day EU 2024

Overview

This is a one day, invitation only, security event. All Tomcat committers are invited. The purpose is to improve Tomcat security.

The event is being funded by Google who generously provided $5k to the Tomcat project to help improve security. All attendees will have one night's accommodation paid for at the CoC hotel. Include the additional night when making your reservation for CoC EU and markt will pay one night's accommodation at some point during CoC EU using the ASF credit card that has been created and linked to the $5k from Google.

Administration

Thursday 6th June 2024 (the data after CoC EU),

09.00-17.00

Venue: Atrium Lounge, Roset Hotel & Residence, Štúrova, Bratislava, Slovakia

Bratislava

Agenda

• Introductions
• Chris's CVE analysis: review past CVEs to identify general patterns that may apply elsewhere in the Tomcat code base
• general discussion to identify areas where we may be able to improve things
• split into groups based interest/experience and review the code
• work on fixes to any potential improvements found 

Attendees

If there is anyone else you would like to invite, please start a discussion on the private@ mailing list. 

potiuk (guest)

Meeting Notes

Fuzzers / test suites.  Look at what is available and investigate integration into a CI build somewhere (GitHub actions, BuildBot, Gump)

• TLS
  • TLS fuzzer
  • drwetter/testssl.sh
• HTTP
  • Synopsys http fuzzer
  • Structured field
• H2
  • Http2-test
  • h2spec - no longer maintained?
    • Good for protocol violations
    • jfclere - can be modified
    • Python h2 library for reproducers - flexible
• WebSocket
  • Autobahn - receptive to fixes
  • scipag/websocket_fuzzer
  • andresriancho/websocket-fuzzer - maintained?
• WebDAV
  • litmus
• Misc
  • find-sec-bugs.gihub.io - no failures when run on 11.0.x
  • Coverity - automate - fix/silence issues
  • SpotBugs - add to overnight CI

Documentation

• Provide IDE configuration for SpotBugs, Checkstyle

CVE reproducer test cases

• Needs discussion on the dev list to decide exactly what we want to do
• Do we use a fixed timeframe (simple) or variable (risk based). Longer delay helps enterprises that are slower to update.
• Publish a policy
• Can develop/track in private svn - can run tests privately

Code signing

• Investigate DigiCert signature revocation

Migrate from BZ to GitHub issues

• Discuss on dev list

SBOM

• What do we include?
• If we switched to Maven we could get this for free (but it doesn't support shading)
• Discuss on dev list generate vs change build
• Schultz has draft

Shading

• BCEL - schultz looking at documenting the process to get from standard BCEL to what we need
• DBCP, Pool, etc - shade during build rather than copy of source

Dependencies

• Contact to make sure they are aware we use them and that the CRA is coming - solo projects fall between OSS steward and hobbyist
  • NSIS
  • BND
  • JSign

Code coverage

• Realms probably the biggest gap
• Manager and Host Manager have low/no coverage
• IntrospectionUtils is quite fundamental - should probably have higher coverage
• http2
• Lots of 'little' gaps
• Can we / should we remove packages from report?
• Future GSoC project?

Secure by default

• We need CI to be running a performance test to check for obvious regressions

TODO - finish this formatting

9.0.x - change default to true for discardfacades

Test removal of recycling - collect GC stats

processorCache == 0 => bad for performance

Document 0 == no cache & performance implications

Secure by default

Shutdown port to -1 - test scripts all OS

Use ${catalina.base} for pwd ?

Remove/disable web apps from distributions - package as WAR as .war.disabled

Check TLS 1.1 - disabled by default?

Security listener

Windows admin users

Writable files that shouldn’t be

Anything from the Tomcat security guide

Cipher list

Remove SSI? and/or CGI? Move them to extras?

Next event

EU

If not CoC , fosdem?

Small group code review

Actions

Today

HTTP header parsing review

Accounting