Strengthening the NAS Library against Security Vulnerabilities

[panyogesh]

Problem

Issues in existing NAS design

• Mostly in C having exposed pointers and buffer overflow challenges
• Vulnerable to malicious UEs
• Not using new constructs of modern C++

Solution

Redesigning of existing NAS library making it robust using C++ constructs.

References

• Proposal details

Timeline & Cost

• Planning to do it in 2 phases. of roughly 3 Months each
• Phase-I consist of 4G coding and testing
• Phase-II consist of 5G coding and testing
• Total amount will be $12,000

[lucasgonze]

Would you consider the AssertFatal cleanup in scope?

[lucasgonze]

Nathaniel Bennett may submit patches for some parts of this. Let's find out more about what he can and can't cover.

[lucasgonze]

We discussed his patches today, as well as the malicious inputs discovered through fuzzing with AFLplusplus.

1. Nathaniel will submit C patches this week for inclusion in 1.9
2. Yogesh to incorporate those patches in the C++ port
3. Tests to be developed for checking the C patches and preventing regressions in the C++. Nathaniel to share the specific payloads that lead to crashes.

[lucasgonze]

@panyogesh I believe these have been merged. Is that right?

[panyogesh]

#15401 : There is a minor comment provided to the author. It will unblock the merge (some mandatory CI jobs are failing(.
Once addressed it will be merged on master. Post CI Job it will be merged on v1.9 track.

If its getting delayed we can update and merge it.