All Posts

Tools for assessing the security of the software supply chain largely lack metrics related to software maintenance patterns and quality. Instead, current solutions focus on enumerating a manifest of packages for known vulnerabilities in their code. These do not account for the status of maintainers or the integrity, liveness, or health of the processes that produce that code. This article discusses how the recent archival of the ipmitool project illustrates the main difficulties in perceiving this status. Having tools that observe and model such information can help inform decisions about the trustworthiness of open source software and dependencies beyond the presence of known bugs and vulnerabilities.

Narf's investigation of HTTP parsers for the DARPA SafeDocs program led us to uncover three vulnerabilities in Cesanta Mongoose.

We’re excited to announce that Narf and its partners, Margin Research and Special Circumstances, were awarded a $6.3M DARPA contract for the Hardening Development Toolchains Against Emergent Execution Engines (HARDEN) program to develop novel, formal, models for flagging and enabling corrections to dangerous emergent behavior that arises from these complex systems.

Welcome to the new Narf Blog.