Finding error handling bugs in OpenSSL using Coccinelle

Julia Lawall; Ben Laurie; René Rydhof Hansen; Nicolas Jean-Michel Palix; Gilles Muller

doi:10.1109/EDCC.2010.31

Finding error handling bugs in OpenSSL using Coccinelle

Julia Lawall, Ben Laurie, René Rydhof Hansen, Nicolas Jean-Michel Palix, Gilles Muller

Datalogisk Institut

30 Citationer (Scopus)

Abstract

OpenSSL is a library providing various functionalities relating to secure
network communication. Detecting and fixing bugs in OpenSSL code is thus
essential, particularly when such bugs can lead to malicious attacks. In
previous work, we have proposed a methodology for finding API usage
protocols in Linux kernel code using the program matching and transformation
engine Coccinelle. In this work, we report on our experience in applying
this methodology to OpenSSL, focusing on API usage protocols related to
error handling. We have detected over 30 bugs in a
recent OpenSSL snapshot, and in many cases it was possible to correct
the bugs automatically. Our patches correcting these bugs have been
accepted by the OpenSSL developers. This work furthermore confirms the
applicability of our methodology to user-level code.

Originalsprog	Engelsk
Titel	Proceedings of the Eighth European Dependable Computing Conference - EDCC-8
Antal sider	6
Forlag	IEEE
Publikationsdato	2010
Sider	191-196
ISBN (Trykt)	978-0-7695-4007-8
DOI	https://doi.org/10.1109/EDCC.2010.31
Status	Udgivet - 2010
Begivenhed	8th European Dependable Computing Conference - Valencia, Spanien Varighed: 28 apr. 2010 → 30 apr. 2010 Konferencens nummer: 8

Konference

Konference	8th European Dependable Computing Conference
Nummer	8
Land/Område	Spanien
By	Valencia
Periode	28/04/2010 → 30/04/2010

Adgang til dokumentet

10.1109/EDCC.2010.31

Citationsformater

@inproceedings{ccd287300f4a11df825d000ea68e967b,

title = "Finding error handling bugs in OpenSSL using Coccinelle",

abstract = "OpenSSL is a library providing various functionalities relating to securenetwork communication. Detecting and fixing bugs in OpenSSL code is thusessential, particularly when such bugs can lead to malicious attacks. Inprevious work, we have proposed a methodology for finding API usageprotocols in Linux kernel code using the program matching and transformationengine Coccinelle. In this work, we report on our experience in applyingthis methodology to OpenSSL, focusing on API usage protocols related toerror handling. We have detected over 30 bugs in arecent OpenSSL snapshot, and in many cases it was possible to correctthe bugs automatically. Our patches correcting these bugs have beenaccepted by the OpenSSL developers. This work furthermore confirms theapplicability of our methodology to user-level code.",

author = "Julia Lawall and Ben Laurie and Hansen, {Ren{\'e} Rydhof} and Palix, {Nicolas Jean-Michel} and Gilles Muller",

year = "2010",

doi = "10.1109/EDCC.2010.31",

language = "English",

isbn = "978-0-7695-4007-8",

pages = "191--196",

booktitle = "Proceedings of the Eighth European Dependable Computing Conference - EDCC-8",

publisher = "IEEE",

note = "8th European Dependable Computing Conference, EDCC-8 ; Conference date: 28-04-2010 Through 30-04-2010",

}

TY - GEN

T1 - Finding error handling bugs in OpenSSL using Coccinelle

AU - Lawall, Julia

AU - Laurie, Ben

AU - Hansen, René Rydhof

AU - Palix, Nicolas Jean-Michel

AU - Muller, Gilles

N1 - Conference code: 8

PY - 2010

Y1 - 2010

N2 - OpenSSL is a library providing various functionalities relating to securenetwork communication. Detecting and fixing bugs in OpenSSL code is thusessential, particularly when such bugs can lead to malicious attacks. Inprevious work, we have proposed a methodology for finding API usageprotocols in Linux kernel code using the program matching and transformationengine Coccinelle. In this work, we report on our experience in applyingthis methodology to OpenSSL, focusing on API usage protocols related toerror handling. We have detected over 30 bugs in arecent OpenSSL snapshot, and in many cases it was possible to correctthe bugs automatically. Our patches correcting these bugs have beenaccepted by the OpenSSL developers. This work furthermore confirms theapplicability of our methodology to user-level code.

AB - OpenSSL is a library providing various functionalities relating to securenetwork communication. Detecting and fixing bugs in OpenSSL code is thusessential, particularly when such bugs can lead to malicious attacks. Inprevious work, we have proposed a methodology for finding API usageprotocols in Linux kernel code using the program matching and transformationengine Coccinelle. In this work, we report on our experience in applyingthis methodology to OpenSSL, focusing on API usage protocols related toerror handling. We have detected over 30 bugs in arecent OpenSSL snapshot, and in many cases it was possible to correctthe bugs automatically. Our patches correcting these bugs have beenaccepted by the OpenSSL developers. This work furthermore confirms theapplicability of our methodology to user-level code.

U2 - 10.1109/EDCC.2010.31

DO - 10.1109/EDCC.2010.31

M3 - Article in proceedings

SN - 978-0-7695-4007-8

SP - 191

EP - 196

BT - Proceedings of the Eighth European Dependable Computing Conference - EDCC-8

PB - IEEE

T2 - 8th European Dependable Computing Conference

Y2 - 28 April 2010 through 30 April 2010

ER -