►
Description
As people with the word “security” in our titles, we come across a lot of questionable decisions. It’s our job to scrutinize the dubious and guide the less paranoid. Wide eyed developers in a dependency wonderland can easily find themselves smoking opiumssl with a caterpillar from stackoverflow who assured them it’s twice as performant than openssl. Nevermind the fact that it was written by @madhatter in 2012 and never touched since. In our infinite wisdom we set them back on the right track. But how wise are we really? Could a robot do just a good a job at guiding them through the looking glass?
Security research, embedded systems, machine learning, and data flow programming are his current interests. He’s on the Open Source Security team at Intel. He’s from Portland, went to PSU for computer engineering with a focus on embedded systems and did his honors college thesis on machine learning. He’s been working at Intel as an intern then an employee for the past 5 years.
A
Hello,
everybody
we're
going
to
get
started.
I'd
like
to
introduce
you
to
John
Anderson
John
is
on
the
open-source
security
team.
At
Intel,
he's
from
Portland
went
to
PSU
for
computer
engineering
with
a
focus
on
embedded
systems
and
did
his
honors
college
thesis
on
machine
learning.
He's
been
working
at
Intel
as
an
intern,
been
an
employee
for
the
past
five
years.
Security,
research,
embedded
systems,
machine
learning
and
data
flow
programming
are
his
current
interests.
B
Thanks
guys,
thanks
for
showing
up
so
I'm
gonna
talk
to
you
a
little
bit
today
about
Intel's
dependency
review
process
and
how
we
automated
some
of
it
using
machine
learning.
So
Who
am
I
I'm
John,
as
we
said,
I'm
a
open
source
security
guy
at
Intel,
so
I've
been
playing
around
a
lot
past
few
years
with
you
know:
Linux
containers,
concurrency,
web
apps
and
Python
and
machine
learning
a
little
bit
more
recently
so
well.
I
was
at
PSU
doing
my
undergraduate
honors
thesis
I.
B
B
So
at
Intel
we
have
a
dependency
review
process
that
is
part
of
the
release
process
for
any
given
piece
of
software,
and
so
the
software
at
Intel
goes
through
this
whole
security
process.
Right
and
before
you
can
release
you
have
to
make
sure
that
none
of
your
dependencies
end
up
on
this
band
list,
because
you
know
a
lot
of
software
out.
B
B
B
It
would
be
great
if
we
could
automate
this,
because
we
have
other
jobs
like
real
things.
To
do,
and
we
don't
want
to
be
sitting
there,
looking
at
open
source
packages
all
day,
it's
pretty
mind-numbing,
so
we
took
this
data
set
of
the
form
answers
and
in
John,
Whiteman
and
I
took
the
same
approach
at
this,
the
first
step
around,
and
so
we
grabbed
this
data
set.
We
got
the
URLs
to
all
these
git
repos
and
we
have
the
review
forms
right
so
and
then
we
have
the
classification.
B
So
this
should
be
pretty
straightforward
problem
right.
We
should
be
able
to
take
this
form
and
then
map
it
to
the
classification
train,
a
machine
learning
model
on
it,
and
it
should
tell
us
yes,
this
is
good
or
no.
This
is
bad
based
on
you
know
our
trained
classifications,
but
we
ran
into
a
problem
pretty
much
right
off
the
bat,
and
that
was
that
reviewers
weren't
consistently
filling
out
these
forms
and
yeah
big
surprise
right.
B
So
we're
we're
charged
with
doing
this
mind-numbing
task
that
takes
a
lot
of
time
and
we're
really
excited
to
go
click.
Every
single
drop
down.
So
part
of
the
reason
for
this
was
that
first
right
off
the
bat
you
would,
you
could
usually
tell
or
not
usually,
but
you
could
sometimes
tell
whether
something
was
good
or
bad
right
away
right
for
signs,
like
you
know,
has
this
thing
written
in
2005
and
never
touched
sensed
was
you
know?
B
Does
it
implement
some
crypto
in
a
very
non-standard
way
that
you
know
one
guy
wrote
and
no
one
else
has
looked
at?
Is
it
a
parser,
and
so
all
of
these
things
are
early
warning
signs
that
we
might
just
go.
You
know
bad
right.
You
cannot
use
this
thing.
You
may
not
ship
with
this
software.
There
are
also
signs
of
things
being
good
right.
You
know
this
is
systemd.
Well,
we
may
not
like
system
to
you,
but
you
can
use
it.
We
know
that
people
are
do
maintain
it.
So
this
was
a
failure.
B
We
only
got
around
60%
accuracy,
so
we
had
to
go
back
to
the
drawing
board
and
think
about.
Well.
What
is
our
approach
right?
So
if
we
don't
have
the
data
in
the
form,
then
we're
gonna
have
to
generate
a
new
data
set
right
and
so
we're
going
to
instead
of
using
that
form
data.
We're
gonna
generate
some
answers
that
are
sort
of
like
that
form
data
right.
B
We
don't
know
what
they're
gonna
be
yet,
but
we
know
that
there's
some
data
that
when
you
put
it
through
a
model,
you
will
get
something
that
tells
you.
This
is
good,
or
this
is
bad
at
a
high
percentage
accuracy,
because
after
reviewing
all
these
packages,
we
know
that
there
were
some
things
that
we
could
put
into
numbers.
We
just
didn't
quite
know
what
they
were
right.
It
must
be
possible.
B
So
we
took
this
iterative
approach
where
we're
gonna
generate
this
data
set
train
the
model
if
the
model
gives
low
accuracy.
That
means
we
have
the
wrong
data
set
right,
so
go
back
and
grab
some
different
features.
So
we
came
up
with
this
plugin
based
system
right,
where
we're
gonna
scrape
these
different
pieces
of
data
that
we're
using
as
the
features
for
the
model,
and
that
way
we
can.
B
You
know
quickly
swap
in
and
out
these
features,
as
we
find
out
that
this
one
doesn't
matter
or
this
one
does
matter,
and
it
will
allow
us
to
the
the
idea
is
that
we
can
swap
out
these
features
very
quickly
and
so
that
we
can
then
find
you
know
which
ones
matter
which
one
don't.
And
ideally
we
have
a
simplistic
framework
to
do
this,
because
you
know
if
I
just
want
to
count
the
number
of
authors
that
should
be
as
simple
as
you
know,
get
log
grep
authors,
you
know,
sort
unique
right.
B
B
That's
it'd
be
a
huge
waste
of
my
time,
so
we
needed
to
come
up
with
something
that
gave
us
a
little
more
flexibility
around
like
how
do
we
write
these
data
scraping
plugins
without
needing
to
know
too
much
about
the
other
things
that
are
scraping
data
as
well,
so
we
came
up
with
this
framework.
That's
basically
like
this.
It's
like
a
directed
graph
of
operations
that
get
run
concurrently.
Well,
the
execution
framework
deals
with
locking,
so
we
defined
the
data
types
and
we
say
you
know
this.
B
Data
type
needs
to
be
locked
before
it's
used
in
an
operation
or
it
doesn't
need
to
be
locked.
So
the
git
repo,
for
example,
is
a
data
type
that
needs
to
be
locked
once
I've
parsed
some
of
that
data
I.
Can
you
know
throw
that
data
or
I?
Can
throw
that
data
back
into
this
network
of
running
operations
and
I
can
now
run
things
concurrently
or
you
know,
if
it's
just
random
data,
we
can
run
it
in
parallel
right.
B
We
don't
want
to
be
running
things
that
are
CPU
bound
concurrently,
so
then,
and
then
that
releases
the
resource
lock
for
the
operation
for
the
other
operations
that
actually
do
need
to
be
working
on
the
locked
resource,
like
other
things
that
need
to
go
actively
scrape
the
gate
log
or
whatever
it
is.
So
this
is
a
gret.
This
is
the
directed
graph
showing
how
we
would
do
a
calculation
of
the
number
of
lines
of
comments.
B
The
number
of
lines
of
code
ratio,
which
was
a
rough
estimation
for
how
well-documented
is
this
code,
and
so
what
you
can
see
here
is
we
take
the
URL
of
the
git
repo
we
clone
it
and
then
we're
going
to
go
find
what
the
default
branch
is
unless
it
was
provided.
So
you
know
we
want
to
detect
if
the
default
branch
is
master
or
maybe
it's
like
you
know,
5.3
points
something
and
then
we're
running
to
combine
that
all
of
these.
B
The
other
thing
that
was
happening
here
is
that
we
were
doing
this
on
a
quarterly
basis,
so
we're
doing
time
series
information
because,
as
you
can
imagine,
the
maintenance
of
git
repos
and
the
other
properties
of
them
are
all
varying
over
time
right.
So
somebody
may
start
out
doing
Coverity
or
somebody
may
not
start
out
having
their
thing
in
public
Coverity,
and
then
they
put
it
in
public
Coverity
right
so
quarter
by
quarter.
These
data
points
change,
so
we
have
a
set
of
operations
that
goes
and
takes
a
quarter
start
date
and
goes
back.
B
You
know
X
number
of
quarters
and
then
generates
what
are
the
commits
associated
with
those
dates
for
those
various
quarters,
and
since
this
is
all
running
concurrently,
part
of
also
what
happens
here
is
all
the
given
any
all.
The
possible
permutations
of
every
input
set
for
any
given
function,
which
is
also
known
as
an
operation,
gets
run.
So
as
soon
as
you
generate
all
of
those
quarter
gates,
it's
gonna
go
and
dispatch
all
of
these
operations
to
run
concurrently
and
it's
gonna
go
say:
okay,
go
grab
with
that.
B
So
this
is
how
this
is
how
this
execution
environment
works,
and
we
are
we
can
the
nice
thing
about
this
is
runs
everything
concurrent
concurrently
manages
the
locking
and
it
does
this
permutations
of
inputs,
so
you
get
every
unique
permutation
gets
run
so
we're
good
to
go.
We
go
to
plug
this
back
coming
back
to
like
the
main
framework
here
right.
B
We've
got
this
system
for
doing
plugins
on
the
data
set
generation
and
we
also
came
up
with
the
system
for
doing
plugins
on
the
neural
model,
so
the
machine
learning
models,
as
well
as
a
system
for
doing
plugins
on
the
data
sources
right
so
now
we
can
either
look.
We
can
iterally
swap
out
the
data
generation
pieces
and
then
we
can
swap
out
the
model.
B
The
model
portion,
so
we
can
go
and
say
you
know,
am
I
using
psych
it,
which
is
what
we
started
with
because
psych
it
will
tell
you
what
are
the
feature
importances
of
each
of
the
pieces
of
data
you're
putting
into
it.
So
it
might
say,
hey.
You
know
you
gave
me
this
ratio
of
how
many
comments
per
pork
or
how
are
there
a
lot
of
comments
on
every
pull
request?
Or
you
know
what
is
the
diversity
of
authorship
like?
B
How
is
is
each
line
of
code
committed
by
a
different
person,
and
so,
if
you
throw
that
through
the
random
forest
classifier,
it
has
this
nice
property
being
like
this
classical
machine
learning
algorithm
where
it
can
tell
you
that
which
which
pieces
of
feature
data
were
important
in
getting
a
good
accuracy
on
the
prediction,
so
that
helped
us
throw
out
these
things
right.
But
then,
once
we
got
to
a
reasonable
amount
of
accuracy,
around
80
percent
I
think
was
like
82
percent.
We
said
okay!
B
Well,
we
want
to
go
switch
this
to
a
you
know,
a
better
machine
learning
model,
something
that's
not
hasn't
been
around.
For
you
know
many.
Many
years
so,
let's
try
doing
some
neural
networks
through
tensorflow,
and
so,
since
we've
got
this
plug-in
framework,
we
basically
say
generate
the
data
now,
instead
of
doing
through
the
sidekick
model
do
through
the
tensorflow
model,
it's
just
a
command
line,
flag
to
say,
psych,
it's
a
tensor
flow
and
then
now
we're
training
using
tensor
flow
and
we
get
90%
accuracy.
B
So
that's
pretty
that's
good
enough
right
there,
so
we're
just
gonna
go
and
start
using
this
90%
accuracy
to
drop
the
banhammer
on
things
as
people
submit
them.
So
they
do
don't
have
to
wait
for
this
four
to
six
week,
turnaround
to
hear
that
they
need
to
go
change
all
their
code
because
they
used
about
220
dependency
so
and
then,
like
I,
was
saying
we
also
swapped
in
and
out
the
data
sources.
So
when
we
went
to
go
take
this
into
the
production
environment,
the
production
environment.
B
Had
this
wacky,
my
sequel
set
up,
so
we
you
know,
we
created
this
custom
data
source
that
knows
how
to
interact
with
all
these
various,
my
sequel
tables,
which
is
you
know,
probably
the
case
if
you're
going
to
integrate
with
a
existing
application.
Like
you
don't
know
what
the
database
is
gonna
be
like
or
well
you
do
know
what
the
database
is
gonna
be
like,
and
it's
probably
gonna
be
custom
logic
right,
so
you're
gonna
go
need
to
figure
out
how
to
integrate
it
with
that
custom
logic,
so
you
were
in
a
plugin.
B
So
this
is
what
it
looked
like
once
it
got
integrated
it's
pulling
and
pushing
pushing
the
data
from
that
production
database
and
it
you
know
you
put
in
the
URL.
It
runs
the
data
set
generation
and
then
it
runs
the
prediction
through
the
trained
model-
and
it
says
yes,
I
think
this
is
a
good
thing
or
no
I
think
this
is
a
bad
thing.
B
B
It
provides
the
abstractions
around
sources
and
around
generation
and
around
models,
and
we've
got
a
few
big
din
for
you,
but
you
also
it's
the
plug-in
based
system
does
not
require
that
you
write
a
plugin
that
gets
contributed
back
into
the
main
source
code
of
the
repo
right,
so
people
can
publish
plugins
and
then
just
like
have
them
on
pi
PI
or
have
them
in
their
git
repos,
and
you
can
install
them
from
people's
random
source
and
it
will
work
as
a
part
of
the
existing
ecosystem.
So
we've
got
sources
for
CSV
files.
B
Json,
as
my
sequel
and
we've
also
got
some
models
for
tensorflow
and
Sai
kit.
To
do
a
few
things
there.
We
provide
a
consistent
API
across
the
command
line,
interface,
the
library,
the
HTTP
API
and
then,
by
extension,
the
JavaScript
API
that
works
with
the
HTTP
API.
This
is
just
like
a
bunch
of
console.log
from
doing
all
the
same
things
we
were
doing
in
Python,
we're
now
doing
from
JavaScript
hitting
the
HTTP
API.
So
then
you
have
access
to
all
these
plugins.
B
You
know
you
install
somebody's
trying
to
plug
in
and
since
it
all
fits
in
the
framework,
it
knows
how
to
extrapolate
all
the
data.
You
need
to
go,
configure
that
model
or
whatever
and
display
it
to
you
through
this
other
API.
So
what
else
have
we
done
note
this
thing?
Well,
we
wrote
this
metastatic
analysis
tool
for
Python
called,
should
I
and
if
you're
familiar
with
PI
Python
or
basically
any
package
manager,
you
usually
type,
you
know,
pip,
install
or
affricate
install
blank
right.
B
So
we
created
this
thing
that
goes
and
it
downloads
the
PI
pi
package
that
you
were
about
to
install
and
it
runs
some
static
analysis
tools
on
it
and
right
now,
there's
only
two
static
analysis
tools
that
it
runs,
but
there
can
be
lots
more
because
we
have
this
system
where
we're
using
these
operations
and
the
amount
of
code
that
it
takes
to
add
a
new
plugin
to
analyze
the
source
code.
It's
basically
like
I
think
it's
like
20
lines.
If
it's
auto
formatted
with
this
thing,
that
makes
it
really
long.
B
B
It's
really
easy
to
just
say:
hey,
you
know,
schedule
this
in
a
thread
and
it
works
straighter.
We'll
go
do
that
for
you.
So
we've
also
got
this
concept
where
you
can
take
these
data
flows
right
since
we've
abstracted
to
this
level.
We
can
take
these
data
flows
and
we
can
deploy
them
in
different
kinds
of
environments
right.
We
could
deploy
this
as
a
command-line
application
like
we
did
where
we
say
you
know,
should
I
install
this
thing.
B
It
goes,
runs
them
and
gives
you
the
results,
or
we
could
deploy
this
behind
like
an
HTTP
API.
You
know,
coincidentally,
the
same
one
that
does
all
the
machine
learning
models
and
stuff.
So
basically
we
export
yamo
files
and
or
json
files,
or
you
know,
whatever
config
format
you
want
like
there's
a
serializer
and
deserialize
ER
plugin,
because
if
you
haven't
noticed
yet
I
like
plugins,
and
so
you
can
export
these
data
flows
and
then
you
could
say,
like
you
know,
run
it.
B
All
I
had
to
do
was
modify
the
yamo
file
and
now,
if
you
can
see
at
the
bottom
here
in
this
demo,
it's
giving
you
the
lines
of
code
or
lines
of
comments,
the
line
of
code
ratio
and
basically,
we
have
like
a
very
small
yamo
file
that
gets
in
this
overrides
situation.
And
then
you
can
like
overlay
different
operations
to
create
new
data
flows
by
chaining,
together
these
operations
and
saying
how
they
should
be
connected.
B
B
So
where
do
we
go
from
here?
You
can
check
out
the
machine
learning
integration
usage
example,
which
is
basically
very,
very,
very
similar
to
the
code
that
had
to
be
written
to
integrate
this
with
in
intel's
environment,
and
you
can
also
check
out.
Should
I,
which
is
this
medica,
static
analysis
tool,
and
hopefully
you
guys
can
go
contribute
because
it
should
be
very
easy
to
write
little
operations
and
you,
if
you
want
to
contribute,
we
have
weekly
meetings
at
9:00
a.m.