FIDO at LINE: FIDO2 server as an open-source project

Hello, this is Kyungjoon from the Security R&D team. I work as a FIDO (Fast Identity Online) engineer. Continuing from our last post FIDO at LINE: A First Step to a World Without Passwords, I would like to introduce you to FIDO2, and also share my experiences from participating in the interoperability testing event hosted by the FIDO Alliance earlier this year in March. Lastly I will talk about our very own LINE FIDO2 server, which will be made available as an open-source project.

Make your GitHub contributions calendar greener (featuring Armeria Sprint)!

Hi, there! Do any of you need to make lots and lots of commits to turn your GitHub contribution calendar into a pastureland? If that’s the case, I proudly present Armeria Sprint! Let me give you some ideas on what Armeria Sprint is and share reviews from our enthusiastic participants. You’ve probably come across a sprint at technical […]

FIDO at LINE: A First Step to a World Without Passwords

Getting closer to a world without passwords Today we are happy to announce that LINE has achieved the world’s first FIDO Universal Server certification (as a service provider1) for our authentication server — LINE Authentication Server. With FIDO authentication, LINE users can sign in and authenticate both using biometrics (for example, face and fingerprint), as well as with […]

Buffer overflow in PJSIP, a VoIP open source library

Hi all, I am Youngsung Kim (Facebook, Twitter) of the Application Security team at LINE and am in charge of evaluating security of LINE services. On this post, I’d like to share a vulnerability (CVE-2017-16872, AST-2017-009) of PJSIP, a VoIP open source library. PJSIP is a multimedia communication library based on the following standard protocols; SIP, SDP, RTP, STUN, TURN, and ICE. The Asterisk framework, widely used on IP-PBX and VoPI gateway has an SIP stack implemented based on PJSIP.

The cause of the vulnerability was due to incautiousness about sign extension for Integers in the process of converting signed int to unsigned long when handling client’s SIP requests on 64-bit environment. There was no window to report the security issue to the PJSIP development teams, so I made my report to the Asterisk’s security page. Afterwards, I’ve consulted with George Joseph, an engineer at Asterisk, and the patch (PJSIP patch, Asterisk patch) has been applied on the pjproject v2.7.1. I’d like to express my gratitude to George for processing the patch.

Open-sourcing Armeria

Armeria is an asynchronous RPC/API client-server implementation built on top of Java 8 and Netty that went open-source last November under Apache License 2.0 by LINE Corporation. Its primary goal is to help engineers build high-performance asynchronous Thrift clients and servers that use HTTP/2 as a session layer protocol, although it is designed to be protocol-agnostic and highly extensible (for example, you can serve a directory of static files via HTTP/2 and run Java EE web applications).

In this post, I’d like to focus on the steps that were taken to open-source an internal project rather than the technical aspect. If you are interested in the technical details of Armeria, you might want to check out the following slides presented last February during the 14th LINE Developer Meetup: