OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Ben Laurie
benl at freebsd.org
Wed Apr 23 08:51:05 UTC 2014
On 22 April 2014 22:28, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
>
> In message <DC2F9726-881B-4D42-879F-61377CA0210D at mac.com>,
> Charles Swiger <cswiger at mac.com> wrote:
>
>>On Apr 21, 2014, at 6:38 PM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote
>>:
>>> In the aftermath of this whole OpenSSL brouhaha... which none other than
>>> Bruce Schneier publically pronounced to be a 12, on a scale from 1 to 10,
>>> in terms of awfulness... I do wonder if anyone has taken the time or effort
>>> to run the OpenSSL sources through any kind of analyzer to try to obtain
>>> some of the standard sorts of software science metrics on it.
>>
>>Sure. Running clang's static analyzer against openssl-1.0.1g yields:
>>
>>Bug Type Quantity
>>All Bugs 182
>>
>>Dead store
>> Dead assignment 121
>> Dead increment 12
>> Dead initialization 2
>>
>>Logic error
>> Assigned value is garbage or undefined 3
>> Branch condition evaluates to a garbage value 1
>> Dereference of null pointer 27
>> Division by zero 1
>> Result of operation is garbage or undefined 9
>> Uninitialized argument value 2
>> Unix API 4
>
> Thank you for doing this.
>
> Perhaps it goes without aying, but I'll say it anyway. The above results
> are at once both enlightening and disgusting.
>
> Apparently, the OpenBSD guys are reorganizing/rewriting OpenSSL. I hope
> that they take the time to do what you have done *and* also to drive every
> bleedin' last one of these numbers to zero. I feel sure that the vast
> majority of the issues uncovered by clang are not in any sense exploitable,
> however its the one or two or three that are that worry me.
>
>
> Regards,
> rfg
>
>
> P.S. I was reading last night about VP8. In that case, apparently,
> the formal specification for that protocol *is* the code. (See RFC
> 6386, Section 1.)
>
> If you have time, Charles, perhaps you could run this same analysis on
> that code too, and report numbers for that as well.
>
> I am *not* looking forward to the day when I'll be rooted because I was
> watching funny kitten videos on YouTube.
So where are your patches to fix these issues?
More information about the freebsd-security
mailing list