Date: Tue, 22 Apr 2014 14:28:57 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-security@freebsd.org Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <8783.1398202137@server1.tristatelogic.com> In-Reply-To: <DC2F9726-881B-4D42-879F-61377CA0210D@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <DC2F9726-881B-4D42-879F-61377CA0210D@mac.com>, Charles Swiger <cswiger@mac.com> wrote: >On Apr 21, 2014, at 6:38 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote >: >> In the aftermath of this whole OpenSSL brouhaha... which none other than >> Bruce Schneier publically pronounced to be a 12, on a scale from 1 to 10, >> in terms of awfulness... I do wonder if anyone has taken the time or effort >> to run the OpenSSL sources through any kind of analyzer to try to obtain >> some of the standard sorts of software science metrics on it. > >Sure. Running clang's static analyzer against openssl-1.0.1g yields: > >Bug Type Quantity >All Bugs 182 > >Dead store > Dead assignment 121 > Dead increment 12 > Dead initialization 2 > >Logic error > Assigned value is garbage or undefined 3 > Branch condition evaluates to a garbage value 1 > Dereference of null pointer 27 > Division by zero 1 > Result of operation is garbage or undefined 9 > Uninitialized argument value 2 > Unix API 4 Thank you for doing this. Perhaps it goes without aying, but I'll say it anyway. The above results are at once both enlightening and disgusting. Apparently, the OpenBSD guys are reorganizing/rewriting OpenSSL. I hope that they take the time to do what you have done *and* also to drive every bleedin' last one of these numbers to zero. I feel sure that the vast majority of the issues uncovered by clang are not in any sense exploitable, however its the one or two or three that are that worry me. Regards, rfg P.S. I was reading last night about VP8. In that case, apparently, the formal specification for that protocol *is* the code. (See RFC 6386, Section 1.) If you have time, Charles, perhaps you could run this same analysis on that code too, and report numbers for that as well. I am *not* looking forward to the day when I'll be rooted because I was watching funny kitten videos on YouTube.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8783.1398202137>