Now that its codebase is finally viewed as stable, OpenSSL is getting a good top-to-bottom once-over in the form of a sweeping audit.
It’s been close to a year since the Heartbleed bug sent the Internet into a frenzy over security. It spurred the software industry to rally behind OpenSSL—sending in more developers, revamping the security protocol, and laying out a revised road map for the ailing encryption protocol underlying much of the Web.
As part of the Linux Foundation’s Core Infrastructure Initiative (CII), the foundation and the Open Crypto Audit Project (OCAP) are sponsoring and organizing what may arguably be the highest-profile audit of a piece of open-source software in history. The audit itself will be conducted by the information assurance organization NCC Group, and its security research arm, Cryptography Services, will carry out the code review.
In the Cryptography Services announcement, the audit team stated it will focus primarily on TLS stacks, covering protocol flow, state transitions and memory management, while also taking a look at BIOs, the most prominent cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers. According to OpenSSL’a Open HUB project page, the implementation currently consists of 447,247 lines of code written in 14 programming languages. Tom Ritter, practice director and principal security consultant for the NCC Group, explained how the audit team meticulously prepared for the task.
“From the first time OCAP posed it to us, we started by sitting down and listing every single thing we could find in OpenSSL,” he said. “There’s so much in there people don’t even realize, like an HTTP server that’s not actually used anywhere on the Internet. We tried to figure out what was most critical, most deployed, most network-facing versus local access-based. We drew lines around all of that—thing to include and exclude, stuff in the middle, to figure out what we’ll try to cover and which parts of the code we can leave out of the scope.”
Cryptography Services has spent the past several months planning out the audit and consulting with OCAP and the OpenSSL team to lay out an initial plan of action for it. The audit will begin in mid-spring, and Ritter said the completion date is tentatively targeted for mid-summer. They’ll likely take a break sometime in the middle of the project, he said, to discuss the state of the audit with the OCAP review board.
Ritter gave a glimpse of what the atmosphere will be like inside the audit room.
“We’re going to be using really large whiteboards, for sure,” he said. “There will be a lot of manual code review and tracing of function calls, along with a lot of automated testing mostly with tools we’ve written ourselves. So we’re going to take a multi-faceted approach, looking at it from both the automated and the manual side.”