On Fri, 20 Apr 2012, Jean-Marc Desperrier wrote:
On Tue, 17 Apr 2012, Lubomír Sedlář wrote:
I would like to ask if any static analysis tool was ever used to detect
possible problems in OpenSSL source code. Is some tool used regularly?
I tried running Clang Static Analyzer [1] on the source of OpenSSL.
Julia Lawall a écrit :
A few years ago, we did some experiments on finding problems in error
handling in OpenSSL using Coccinelle:
Finding Error Handling Bugs in OpenSSL using Coccinelle
http://coccinelle.lip6.fr/papers/edcc10.pdf
It's a bit surprising if none of those tools could identify the badness of
the code involved in the just published memory corruption vulnerability.
I fail to see anything subtle in that vulnerability.
Now, the trouble might be in the eye of the reviewer who'd assume way too
easily that the downcasting of a long is OK.
I think it would be really interesting to understand *why* this wasn't seen
earlier, and check all the rest of the code for potentially similar problem.
Or similar case of assuming that "doing this is not very clean but won't hurt
us" instead of cleaning the code to do things properly.
Coccinelle is not a static analysis tool, but a scripting language for
letting you search for whatever pattern you are interested in. I don't
remember the pattern in question, but it didn't find the problem because I
wasn't looking for it. On the other hand, a tool like clang static
analyzer is promising to find all of the problems in one's code. So it
would be more reasonable to expect it to find it.
I didn't make enough note of the vulnerability that is referred to. Could
you send me a link? Perhaps it is possible with Coccinelle to find other
similar cases.
julia
