libwebp
l4v
Our great sponsors
| libwebp | l4v | |
|---|---|---|
| 13 | 15 | |
| 1,908 | 489 | |
| 1.9% | 1.6% | |
| 8.7 | 9.6 | |
| 7 days ago | 4 days ago | |
| C | Isabelle | |
| BSD 3-clause "New" or "Revised" License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
libwebp
-
Google assigns a CVE for libwebp and gives it a 10.0 score
The thing that concerns me most is looking at the fix it is very difficult to see why this fix is correct. It also appears as there is lots of code without explicit bounds checks. It makes me worried because while the logic may be safe this makes the logic very complex. I wonder what the cost would be to add an explicit, local bounds check at every array access. This would serve as a backup that is much easier to verify. I suspect the cost would be relatively small. Small enough that I personally would be happy to pay it.
https://github.com/webmproject/libwebp/commit/902bc919033134...
This is also a great reminded that fuzzing isn't a solution to memory unsafe languages and libraries. If anything the massive amount of bugs found via fuzzing should scare us as it is likely only scratching the surface of the vulnerabilities that still lie in the code, a couple too many branches away from being likely to be found by fuzzing.
-
The WebP 0day
There's a follow-up fix, according to Debian[0]: https://github.com/webmproject/libwebp/commit/95ea5226c87044...
[0]: https://security-tracker.debian.org/tracker/CVE-2023-4863
-
CVE-2023-4863: Heap buffer overflow in WebP (Chrome)
The breakage [0] was introduced by the creator [1] of the project. If you want to audit 1674 commits over the past 12 years, it'd be easier to just audit the full project.
[0] https://github.com/webmproject/libwebp/commit/21735e06f7c1cb...
[1] https://github.com/webmproject/libwebp/commit/c3f41cb47e5f32...
- Convenient CPU feature detection and dispatch in the Magnum Engine
-
Whats going on with .webp and why are more and more internet images being converted to it?
If you like the command line, then you can use ffmpeg and ImageMagick, or use libwebp directly
-
What's up with people hating WebP?
The webp parser code is open source. Which means that even if Google decides to hide/obscure the code for webp, they'd legally not be allowed to prevent you from using older versions of the webp parser library. The only thing they could do is patent it, and then companies in the US (which has software patents, unfortunately) would have to pay royalties to decode it anyway; but here comes the next point
l4v
-
Rewrite the VP9 codec library in Rust
> C/C++ can be made memory safe
.. but it's much harder to prove your work is memory safe. sel4 is memory safe C, for example. The safety is achieved by a large external theorem prover and a synced copy written in Haskell. https://github.com/seL4/l4v
Typechecks are form of proof. It's easier to write provably safe Rust than provably safe C because the proofs and checker are integrated.
-
CVE-2023-4863: Heap buffer overflow in WebP (Chrome)
You can't really retrofit safety to C. The best that can be achieved is sel4, which while it is written in C has a separate proof of its correctness: https://github.com/seL4/l4v
The proof is much, much more work than the microkernel itself. A proof for something as large as webP might take decades.
- SeL4 Specification and Proofs
-
What in the name of all that's holy is going on with software ?
When something like the seL4 microkernel is formally verified, the remaining bugs should only be bugs in the specification, not the implementation.
-
Elimination of programmers
seL4 specifications and proofs are not a programming language.
-
Google Announces KataOS and Sparrow
Yes, especially 'logically impossible' when you dig into the details. From the blogpost:
> and the kernel modifications to seL4 that can reclaim the memory used by the rootserver.
MMMMMMMMMMMkkkkkk. So you then have to ask: were these changes also formally verified? There's a metric ton of kernel changes here: https://github.com/AmbiML/sparrow-kernel/commits/sparrow but I don't see a fork of https://github.com/seL4/l4v anywhere inside AmbiML.
I mean, it does also claim to be "almost entirely written in Rust", which is true if you ignore almost the entire OS part of the OS (the kernel and the minimal seL4 runtime).
-
A 24-year-old bug in the Linux Kernel (2021)
Probably the only way to prevent this type of issue in an automated fashion is to change your perspective from proving that a bug exists, to proving that it doesn't exist. That is, you define some properties that your program must satisfy to be considered correct. Then, when you make optimizations such as bulk receiver fast-path, you must prove (to the static analysis tool) that your optimizations to not break any of the required properties. You also need to properly specify the required properties in a way that they are actually useful for what people want the code to do.
All of this is incredibly difficult, and an open area of research. Probably the biggest example of this approach is the Sel4 microkernel. To put the difficulty in perspective, I checkout out some of the sel4 repositories did a quick line count.
The repository for the microkernel itself [0] has 276,541
The testsuite [1] has 26,397
The formal verification repo [2] has 1,583,410, over 5 times as much as the source code.
That is not to say that formal verification takes 5x the work. You also have to write your source-code in such a way that it is ammenable to being formally verified, which makes it more difficult to write, and limits what you can reasonably do.
Having said that, this approach can be done in a less severe way. For instance, type systems are essentially a simple form of formal verification. There are entire classes of bugs that are simply impossible in a properly typed programs; and more advanced type systems can eliminate a larger class of bugs. Although, to get the full benefit, you still need to go out of your way to encode some invariant into the type system. You also find that mainstream languages that try to go in this direction always contain some sort of escape hatch to let the programmer assert a portion of code is correct without needing to convince the verifier.
[0] https://github.com/seL4/seL4
[1] https://github.com/seL4/sel4test
[2] https://github.com/seL4/l4v
-
Formally Proven Binary Format Parsers
I mean, just look at the commits with "fix" in the specs folder: https://github.com/seL4/l4v/commits/master?after=4f0bbd4fcbc...
- Proofs and specifications
What are some alternatives?
libjpeg-turbo - Main libjpeg-turbo repository
seL4 - The seL4 microkernel
Save-webP-as-extension - Firefox extension to overlay format and JPEG quality buttons on inline or stand-alone images for quickly saving a converted version of the image.
hubris - A lightweight, memory-protected, message-passing kernel for deeply embedded systems.
BrowserBoxPro - :cyclone: BrowserBox is Web application virtualization via zero trust remote browser isolation and secure document gateway technology. Embed secure unrestricted webviews on any device in a regular webpage. Multiplayer embeddable browsers, open source! [Moved to: https://github.com/BrowserBox/BrowserBox]
agda-stdlib - The Agda standard library
image - [mirror] Go supplementary image libraries
creusot - Creusot helps you prove your code is correct in an automated fashion. [Moved to: https://github.com/creusot-rs/creusot]
libavif - libavif - Library for encoding and decoding .avif files
cryptography - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
Electron - :electron: Build cross-platform desktop apps with JavaScript, HTML, and CSS
codeball-action - 🔮 Codeball – AI Code Review that finds bugs and fast-tracks your code