Menu

Least Authority Performs Security Audit of GNU libmicrohttpd (MHD)

Ramakrishnan Muthukrishnan, Liz Steininger and Anamika Ved on June 22, 2017

At Least Authority, our mission is to bring verifiable end-to-end security to everyone. As a part of this mission, we provide security consulting services to free and open-source software projects. We recently performed a security audit of the GNU libmicrohttpd (MHD) library, on behalf of Mozilla’s Secure Open Source Fund.

Mozilla’s SOS Fund is a new initiative to support security audits and remediation for open-source software projects. We Least Authoritarians applaud Mozilla’s effort to support the open-source and free software movement. Our goal is to secure the internet for the future by designing secure systems and creating freedom compatible technologies. We appreciate how Mozilla with the SOS Fund is contributing some of its resources and providing support to the organizations like us to achieve this goal.

The security audit of the GNU libmicrohttpd (MHD) library was mainly focused on manually reviewing the application code, but we also examined the dependency code and behavior where relevant to a particular line of investigation.

Audit Results

GNU libmicrohttpd is a C library with about 35,000 lines of code to allow developers to embed HTTP server functionality into their applications. C standards might not be the safest choice to write such a library as C standards make writing secure programs hard, if not impossible. Given the history of the project and its extensive use in devices with modest resources and lack of safe alternative languages at the time the project was started, we respect the choice of the authors and we reviewed the code with the goal of making it more secure.

We found the quality of the code impressive. It is evident from the code that the project authors and maintainers dedicated themselves to a high standard of development. Nonetheless, we identified some issues in the library code and reported them. You can read about each issue in the audit report. We have also made some improvement suggestions. If you have any questions about these results or our security audit process, please contactus@leastauthority.com.

We Least Authoritarians have extensive experience in security and cryptography, and we have performed audits and provided consultation for a variety of open-source privacy or transparency related projects, including CryptoCat, GlobalLeaks, SpiderOak, and Ooni. Least Authority was also hired by Ethereum to perform an incentive analysis on the proof-of-work puzzle, Ethash, and the gas mechanism. In the audit report presented in June 2015, we highlighted some vulnerabilities and gave valuable recommendations.

We also run a verifiably-secure cloud backup system, S4 which will soon get a new graphical user interface - “Gridsync".