In the first four months of 2014, two major vulnerabilities were announced affecting operation of the Transport Layer Security (TLS) protocol, which is used by applications to secure Internet communications. The `goto fail' bug affected Apple's iOS and OS X software and the `Heartbleed' bug affected versions of the OpenSSL software. Whilst the Apple bug was serious because it affected a wide range of Apple products, the Heartbleed bug was of greater significance due to widespread use of the OpenSSL library. This paper considers the lessons to be learned from these incidents. It examines how the use of the Trustworthy Software Framework (TSF) developed by the authors could have helped to reduce the risk of a major bugs like `goto fail' and Heartbleed. It also examines the responsibilities of developers where they use third party libraries and the need for appropriate due diligence. The paper also makes recommendations about how incidents like this should be handled to avoid confusing and contradictory messages being given.\ud\ud
展开▼
机译:2014年的前四个月,宣布了两个主要漏洞,这些漏洞影响传输层安全性(TLS)协议的运行,该协议被应用程序用来保护Internet通信的安全。 “ goto fail”错误影响了Apple的iOS和OS X软件,“ Heartbleed”错误影响了OpenSSL软件的版本。尽管Apple Bug之所以很严重是因为它影响了广泛的Apple产品,但由于OpenSSL库的广泛使用,Heartbleed Bug的重要性更高。本文考虑了从这些事件中学到的教训。它研究了作者开发的可信赖软件框架(TSF)的使用如何有助于降低诸如“ goto fail”和Heartbleed之类的重大错误的风险。它还检查了使用第三方库的开发人员的责任以及进行适当尽职调查的必要性。本文还就应如何处理此类事件提出建议,以避免发出混乱和矛盾的消息。\ ud \ ud
展开▼
