The Story
Curl is a ubiquitous network transfer utility. It's on desktops, laptops, servers, vehicles, and appliances. Securing curl is important because its primary job is to handle data coming in from a network. Unfortunately, all of the networking code in curl is written in C, which is not memory safe.
We got in touch with curl's maintainer, Daniel Stenberg, to talk about how we might help protect curl's core HTTP and TLS networking code from memory safety vulnerabilities. Daniel had a lot of great questions about what we had in mind, and he patiently answered a lot our questions. We quickly realized we were talking to a thoughtful, cautiously progressive maintainer. He was willing to hear us out and consider significant changes, but he would need a plan that was not overly disruptive to existing users.
What We've Done
Together with Daniel Stenberg, we came up with a plan to add options to build curl with memory-safe HTTP and TLS libraries. For HTTP we chose the Hyper library. For TLS we chose the Rustls library.
We contracted with Daniel to integrate the Hyper HTTP library into curl. ISRG engineer Jacob Hoffman-Andrew integrated the Rustls TLS library into curl.
Today curl users can choose to build curl with Hyper and Rustls.
What's Next
Collecting feedback from people using the Hyper an Rustls back-ends is our priority as we work to convince organizations distributing curl to switch to the safer back-ends.
Links
More from the Prossimo blog
Memory Safe ‘curl’ for a More Secure Internet
Memory safety vulnerabilities represent one of the biggest threats to Internet security. As such, we at ISRG are interested in finding ways to make the most heavily relied-upon software on the Internet memory safe.