Title :
Trustworthy software: lessons from ???goto fail??? & heartbleed bugs
Author :
Boyes, H.A. ; Norris, P. ; Bryant, I. ; Watson, T.
Author_Institution :
Cyber Security Centre, Univ. of Warwick, Coventry, UK
Abstract :
In the first four months of 2014, two major vulnerabilities were announced affecting operation of the Transport Layer Security (TLS) protocol, which is used by applications to secure Internet communications. The `goto fail´ bug affected Apple´s iOS and OS X software and the `Heartbleed´ bug affected versions of the OpenSSL software. Whilst the Apple bug was serious because it affected a wide range of Apple products, the Heartbleed bug was of greater significance due to widespread use of the OpenSSL library. This paper considers the lessons to be learned from these incidents. It examines how the use of the Trustworthy Software Framework (TSF) developed by the authors could have helped to reduce the risk of a major bugs like `goto fail´ and Heartbleed. It also examines the responsibilities of developers where they use third party libraries and the need for appropriate due diligence. The paper also makes recommendations about how incidents like this should be handled to avoid confusing and contradictory messages being given.
Keywords :
Internet; operating system kernels; program debugging; public domain software; software libraries; trusted computing; Apple OS X software; Apple iOS software; Apple products; Heartbleed bugs; Internet communications; OpenSSL library; OpenSSL software; TLS protocol; TSF; goto fail bug; third party libraries; transport layer security protocol; trustworthy software; trustworthy software framework; Heartbleed; cyber security; embedded systems; software defect; trustworthy software;
Conference_Titel :
System Safety and Cyber Security (2014), ??????9th IET International Conference on
Print_ISBN :
978-1-84919-940-7
