In April 2014 the Heartbleed bug caused widespread alarm around the world as it affected a significant proportion of the Internet’s secure web servers. This bug in the open-source OpenSSL cryptography library had been introduced into version 1.0.1 of OpenSSL in 2012 and had remained undetected for over two years.
The bug was part of the Heartbeat Extension for Transport Layer Security (TLS) in OpenSSL. It was a classic example of a bounds-checking vulnerability, where data is read from beyond a buffer’s boundary due to missing input validation. Although there are many general-purpose security analyses that try to find bounds-checking vulnerabilities, the data flow involved in an exploit of the Heartbleed bug is difficult to track and unlikely to be identified by general-purpose analysis.
Using Semmle’s object-oriented query language (QL) an analysis for spotting the pattern leading to the Heartbleed vulnerability was quickly created in just a few lines of QL. The flexibility of QL means that as issues arise, checks can quickly be created and added to your Semmle engineering analytics platform to identify any occurrence of a particular vulnerability in a code base. The query can then be generalized to find similar problematic patterns. In this way, the protection provided by Semmle grows over time as the queries supplied by Semmle are augmented by your own custom queries.