Can I See Some Identification?: Detecting and Patching Source Code Vulnerabilities

Abstract

This paper reflects research with the goal of building source analysis of security vulnerabilities for poorly written or faulty code intended to connect two parties via online interaction. Today’s world is becoming more inundated with technology and increased digital functionality through the use of the Internet, and as a result code libraries have been built to support these data transfers. However, these libraries still contain unsafe code and often lack the ability to inform developers of improper usages of the libraries’ tools. In this proof of concept project, the research uses the C programming language and the ROSE compiler to search through the libcurl SSL source code library in an effort to locate such problems and warn the developer of them. The libcurl variable insecure_ok was found to be uninitialized, and so code was built in order to find it and other such variables, as well as warn programmers of its potential dangers. These represent the first steps for further research into other problems within SSL libraries and improvement of checks within the SSLChecker suite.