Researchers engage in the largest effort to review OpenSSL

Mar 10, 2015 16:43 GMT  ·  By

Although not totally comprehensive in nature, an audit will be performed by researchers at NCC Group Cryptography Services on the widely-deployed OpenSSL implementation of the SSL/TLS cryptographic protocol.

The group includes consultants from companies such as iSEC Partners, Matasano Security, Intrepidus Group and NCC Group, and it is also involved in auditing the security of the no longer developed TrueCrypt software.

Heartbleed had its benefits for the OpenSSL Software Foundation

Auditing OpenSSL comes after a period of much toil and trouble that ended some time after the discovery of the Heartbleed bug in April 2014.

At that time, the maintainers of OpenSSL suffered from chronic insufficiency of resources (mostly financial), and given that an error in the code of the library creates ripples all over the web, under-funding such a project would create a real problem.

Following the Heartbleed issue, a consortium was created under the name of Core Infrastructure Initiative, housed at The Linux Foundation and composed of Microsoft, Facebook, Amazon, Dell, Google and several other large tech entities, to fund OpenSSL foundation so that it gets the needed support in keeping the product safe and sound.

The current endeavor from NCC Group Cryptography Services is sponsored by the consortium and is designed mostly to check the TLS stacks and BIOs (I/O stream abstraction).

OpenSSL code has been reformatted for better reading

In their examination, the researchers say that they’ll cover protocol flow, state transitions and memory management, as well as “most of the high-profile cryptographic algorithms.” Testing will be carried out via fuzzers for the ASN.1 and x509 parsers.

“This is a fairly large audit, so we expect the preliminary results to start coming out towards the beginning of the Summer after we coordinate with the OpenSSL team,” NCC Group has said in a blog post today.

One of the catalysts for engaging in this effort is the fact that the OpenSSL code has been cleaned up and reformatted, making reading it an easier task than before. In the process, different glitches were found and fixed.