Date: Wed, 23 Apr 2014 09:51:03 +0100 From: Ben Laurie <benl@freebsd.org> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <CAG5KPzyBSXFPzx6PZqu-9D9%2Bifn9ERNFc5Udxa4%2BsPJ2Fg3RSw@mail.gmail.com> In-Reply-To: <8783.1398202137@server1.tristatelogic.com> References: <DC2F9726-881B-4D42-879F-61377CA0210D@mac.com> <8783.1398202137@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22 April 2014 22:28, Ronald F. Guilmette <rfg@tristatelogic.com> wrote: > > In message <DC2F9726-881B-4D42-879F-61377CA0210D@mac.com>, > Charles Swiger <cswiger@mac.com> wrote: > >>On Apr 21, 2014, at 6:38 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote >>: >>> In the aftermath of this whole OpenSSL brouhaha... which none other than >>> Bruce Schneier publically pronounced to be a 12, on a scale from 1 to 10, >>> in terms of awfulness... I do wonder if anyone has taken the time or effort >>> to run the OpenSSL sources through any kind of analyzer to try to obtain >>> some of the standard sorts of software science metrics on it. >> >>Sure. Running clang's static analyzer against openssl-1.0.1g yields: >> >>Bug Type Quantity >>All Bugs 182 >> >>Dead store >> Dead assignment 121 >> Dead increment 12 >> Dead initialization 2 >> >>Logic error >> Assigned value is garbage or undefined 3 >> Branch condition evaluates to a garbage value 1 >> Dereference of null pointer 27 >> Division by zero 1 >> Result of operation is garbage or undefined 9 >> Uninitialized argument value 2 >> Unix API 4 > > Thank you for doing this. > > Perhaps it goes without aying, but I'll say it anyway. The above results > are at once both enlightening and disgusting. > > Apparently, the OpenBSD guys are reorganizing/rewriting OpenSSL. I hope > that they take the time to do what you have done *and* also to drive every > bleedin' last one of these numbers to zero. I feel sure that the vast > majority of the issues uncovered by clang are not in any sense exploitable, > however its the one or two or three that are that worry me. > > > Regards, > rfg > > > P.S. I was reading last night about VP8. In that case, apparently, > the formal specification for that protocol *is* the code. (See RFC > 6386, Section 1.) > > If you have time, Charles, perhaps you could run this same analysis on > that code too, and report numbers for that as well. > > I am *not* looking forward to the day when I'll be rooted because I was > watching funny kitten videos on YouTube. So where are your patches to fix these issues?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG5KPzyBSXFPzx6PZqu-9D9%2Bifn9ERNFc5Udxa4%2BsPJ2Fg3RSw>