| Abstrakt: |
On April 7th, 2014 a flaw in OpenSSL was simultaneously announced independently by researchers at Google and Codenomicon, a Finnish software testing company. The flaw was in an OpenSSL extension called Heartbeat that allowed for a buffer over-read of heap memory by any external client connected through OpenSSL possibly exposing the private keys used by OpenSSL. The flaw went undetected for over two years as the affected versions of OpenSSL dated back to March, 2012. It is estimated that the flaw affected over 500,000 servers around the world, including those at Google, Amazon, Cisco, Dell, Intel and Facebook (NetCraft, 2014). This paper reports an analysis of OpenSSL code using software metrics in versions of OpenSSL before, during, and after Heartbleed and their possible effects on software assurance, looks at the OpenSSL coding, design and testing standards and practices that contributed to the flaw and to the severity of the flaw and makes suggestions for future changes to the corresponding processes. [ABSTRACT FROM AUTHOR] |
