Finding error handling bugs in OpenSSL using Coccinelle

Julia Lawall; Ben Laurie; René Rydhof Hansen; Nicolas Jean-Michel Palix; Gilles Muller

doi:10.1109/EDCC.2010.31

Finding error handling bugs in OpenSSL using Coccinelle

Julia Lawall, Ben Laurie, René Rydhof Hansen, Nicolas Jean-Michel Palix, Gilles Muller

Department of Computer Science

30 Citations (Scopus)

Abstract

OpenSSL is a library providing various functionalities relating to secure
network communication. Detecting and fixing bugs in OpenSSL code is thus
essential, particularly when such bugs can lead to malicious attacks. In
previous work, we have proposed a methodology for finding API usage
protocols in Linux kernel code using the program matching and transformation
engine Coccinelle. In this work, we report on our experience in applying
this methodology to OpenSSL, focusing on API usage protocols related to
error handling. We have detected over 30 bugs in a
recent OpenSSL snapshot, and in many cases it was possible to correct
the bugs automatically. Our patches correcting these bugs have been
accepted by the OpenSSL developers. This work furthermore confirms the
applicability of our methodology to user-level code.

Original language	English
Title of host publication	Proceedings of the Eighth European Dependable Computing Conference - EDCC-8
Number of pages	6
Publisher	IEEE
Publication date	2010
Pages	191-196
ISBN (Print)	978-0-7695-4007-8
DOIs	https://doi.org/10.1109/EDCC.2010.31
Publication status	Published - 2010
Event	8th European Dependable Computing Conference - Valencia, Spain Duration: 28 Apr 2010 → 30 Apr 2010 Conference number: 8

Conference

Conference	8th European Dependable Computing Conference
Number	8
Country/Territory	Spain
City	Valencia
Period	28/04/2010 → 30/04/2010

Access to Document

10.1109/EDCC.2010.31

Cite this

@inproceedings{ccd287300f4a11df825d000ea68e967b,

title = "Finding error handling bugs in OpenSSL using Coccinelle",

abstract = "OpenSSL is a library providing various functionalities relating to securenetwork communication. Detecting and fixing bugs in OpenSSL code is thusessential, particularly when such bugs can lead to malicious attacks. Inprevious work, we have proposed a methodology for finding API usageprotocols in Linux kernel code using the program matching and transformationengine Coccinelle. In this work, we report on our experience in applyingthis methodology to OpenSSL, focusing on API usage protocols related toerror handling. We have detected over 30 bugs in arecent OpenSSL snapshot, and in many cases it was possible to correctthe bugs automatically. Our patches correcting these bugs have beenaccepted by the OpenSSL developers. This work furthermore confirms theapplicability of our methodology to user-level code.",

author = "Julia Lawall and Ben Laurie and Hansen, {Ren{\'e} Rydhof} and Palix, {Nicolas Jean-Michel} and Gilles Muller",

year = "2010",

doi = "10.1109/EDCC.2010.31",

language = "English",

isbn = "978-0-7695-4007-8",

pages = "191--196",

booktitle = "Proceedings of the Eighth European Dependable Computing Conference - EDCC-8",

publisher = "IEEE",

note = "8th European Dependable Computing Conference, EDCC-8 ; Conference date: 28-04-2010 Through 30-04-2010",

}

TY - GEN

T1 - Finding error handling bugs in OpenSSL using Coccinelle

AU - Lawall, Julia

AU - Laurie, Ben

AU - Hansen, René Rydhof

AU - Palix, Nicolas Jean-Michel

AU - Muller, Gilles

N1 - Conference code: 8

PY - 2010

Y1 - 2010

N2 - OpenSSL is a library providing various functionalities relating to securenetwork communication. Detecting and fixing bugs in OpenSSL code is thusessential, particularly when such bugs can lead to malicious attacks. Inprevious work, we have proposed a methodology for finding API usageprotocols in Linux kernel code using the program matching and transformationengine Coccinelle. In this work, we report on our experience in applyingthis methodology to OpenSSL, focusing on API usage protocols related toerror handling. We have detected over 30 bugs in arecent OpenSSL snapshot, and in many cases it was possible to correctthe bugs automatically. Our patches correcting these bugs have beenaccepted by the OpenSSL developers. This work furthermore confirms theapplicability of our methodology to user-level code.

AB - OpenSSL is a library providing various functionalities relating to securenetwork communication. Detecting and fixing bugs in OpenSSL code is thusessential, particularly when such bugs can lead to malicious attacks. Inprevious work, we have proposed a methodology for finding API usageprotocols in Linux kernel code using the program matching and transformationengine Coccinelle. In this work, we report on our experience in applyingthis methodology to OpenSSL, focusing on API usage protocols related toerror handling. We have detected over 30 bugs in arecent OpenSSL snapshot, and in many cases it was possible to correctthe bugs automatically. Our patches correcting these bugs have beenaccepted by the OpenSSL developers. This work furthermore confirms theapplicability of our methodology to user-level code.

U2 - 10.1109/EDCC.2010.31

DO - 10.1109/EDCC.2010.31

M3 - Article in proceedings

SN - 978-0-7695-4007-8

SP - 191

EP - 196

BT - Proceedings of the Eighth European Dependable Computing Conference - EDCC-8

PB - IEEE

T2 - 8th European Dependable Computing Conference

Y2 - 28 April 2010 through 30 April 2010

ER -