About Measurement Kit

Measurement Kit is a network measurement engine. It implements open network measurement methodologies (performance, censorship, etc.) on Unix-like operating systems such as Android, iOS, Linux, and macOS, as well as on Windows. It is meant to be embedded by third-party applications with specific network measurement needs and/or to be used by researchers to implement novel network measurement tools. It started as an engine implementing OONI network tests and since then has grown to include other network tests.

Audit Description

OTF’s Security Lab partner Radically Open Security performed a penetration test of Measurement Kit between September 1, 2018 and September 10, 2018, checking for security issues and proper usage of third-party dependencies.

Findings

Auditors identified four issues:

  1. Some man-in-the-middle attacker could impersonate the NDT server or inject/modify packages in transit (high threat).
  2. Compiler hardening switches are missing from the build scripts. These switches provide protective measures that make exploitation harder (medium threat).
  3. The function query_mlabns() uses curl to fetch a JSON array, which is completely unbounded and can lead to resource exhaustion or other issues (medium threat).
  4. Since assert() can be disabled at compile-time by defining the NDEBUG symbol, doing so creates many security issues (low threat).

Full Report

Code:

github.com/measurement-kit/libndt git revision: 89193025a4c59793b2f03d590efdaaea20c8cf58