A colleague asked me about an Android vulnerability called fragment injection because of an article he read  and I think its worth diving into the details of the vulnerability. Fragment injection is a classic example of using reflection in an unsafe way (CWE-470) . As in untrusted data from an Intent is used to […]
What a difference a few weeks makes in the software security world. When the Heartbleed bug was publicly disclosed a short while ago, the reaction was swift and fairly consistent. It was identified as a real problem, not FUD, and systems were being patched VERY quickly. Often time when a security vulnerability is announced we […]
Many of our customers have asked whether Coverity can detect Heartbleed. The answer is not yet – but we’ve put together a new analysis heuristic that works remarkably well and does detect it (UPDATE: the Coverity platform now detects the Heartbleed defect). We wanted to tell our customers and readers about this heuristic and what […]
Posted in Static Analysis (SAST) | Comments Off on On detecting Heartbleed with static analysis
By now, you’ve surely heard about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL 1.0.1 through 1.0.1f (inclusive). The vulnerability has been present in OpenSSL since December 2011. Many websites have discussed the details of the bug, and I will not go into the deep technical details here. I will describe the bug at a high level, […]
Today’s OpenSSL bug adds another tally on to the rapidly growing list of major security issues with the OpenSSL library. A friend and former colleague, Mike Nygard asked a very important question. Serious question: is it better to rewrite a library that’s had a lot of implementation problems, or is it better to keep hardening […]
Posted in Uncategorized | Comments Off on OpenSSL: Fix or rewrite?