The Role of Static Analysis in Heartbleed

The Heartbleed bug was one of the largest security vulnerabilities of 2014, not only because of the media attention it garnered but also because it affected over half a million web sites on the Internet. Because the bug was in OpenSSL, it affected web sites, VPN concentrators, client applications and mobile devices. This paper details what the Heartbleed bug is, how the details were disclosed, and how vendors responded to it. The role of static analysis in software quality is then discussed. How static analysis, specifically Coverity's TAINTED_SCALAR heuristic, was improved to detect this bug will also be presented. Finally, how end users can protect themselves from similar vulnerabilities will be discussed.