X-Lab, Baidu’s security lab focused on researching and developing industry-leading security solutions, today released the latest version of MesaLink, a cryptographic memory safe library for securing end-to-end communications.
Encrypted communication is a cornerstone of Internet security, as it provides protection from vulnerabilities for a wide variety of applications like cloud computing, blockchain, autonomous driving and Internet of Things. Existing solutions for securing end-to-end communications are implemented with programming languages like C/C++, which makes them particularly susceptible to memory safety vulnerabilities. Heartbleed Bug, for example, is a serious memory safety vulnerability in OpenSSL cryptographic software library that allows attackers to steal information protected by encryption.
“OpenSSL, one of the most prominent implementations of the SSL/TLS protocol, has been protecting the Internet for the past two decades,” said Tao Wei, Chief Security Scientist at Baidu, Inc. “It has made a significant contribution to the evolution of the Internet. However, cryptography and protocol implementations of SSL/TLS are complex, and SSL/TLS is nearly impossible to implement without vulnerabilities. When Heartbleed was discovered in 2014, it affected two-thirds of the Internet, causing detrimental loss around the globe. Heartbleed is considered one of the most serious vulnerabilities since the commercialization of the Internet.”
MesaLink, unlike OpenSSL, is based on Baidu’s advanced Hybrid Memory Safety Model, which has revolutionized memory safety systems at the software architecture level. MesaLink is well-guarded against a whole class of memory safety vulnerabilities and withstands most exploits.
MesaLink aims to be a drop-in replacement for the widely adopted OpenSSL library. By providing OpenSSL-compatible APIs, it enables developers of preexisting projects to smoothly transition to MesaLink. For example, curl, a popular library for transferring data, recently integrated MesaLink, which now easily extends its presence into a wide variety of applications where OpenSSL used to dominate. Another promising example is with Android, in which MesaLink is able to transparently establish secure communications for any installed app without changing a single line of code.
Beyond memory safety and OpenSSL compatibility, MesaLink also provides competitive performance. With secure and efficient cryptographic APIs, MesaLink reduces the time to estasblish a trusted communication channel between the client and server, providing a faster web browsing experience to users.
“Heartbleed is an example of why C/C++ cannot meet the memory safety expectations in SSL/TLS implementations,” add Wei. “To eliminate vulnerabilities like Heartbleed, the MesaLink project was created. We expect MesaLink could be the next OpenSSL that protects secure communication on the Internet for the foreseeable future.”
MesaLink has already been adopted in products like smart TVs and set-top boxes. As part of Baidu’s Open AI System Security Alliance and AIoT Security Solutions, it has enabled more than 2 million smart TVs to securely connect to the cloud.