AD2044: DoNotStaticallyLinkOpenSSLPE¶
Summary¶
| Property | Value |
|---|---|
| ID | AD2044 |
| Name | DoNotStaticallyLinkOpenSSLPE |
| Category | Security |
| Severity | Warning |
| Applies to | PE (Windows) |
Description¶
PE binaries should not statically link OpenSSL. Static linking makes it difficult to update OpenSSL when security vulnerabilities are discovered.
How It Works¶
The rule detects statically linked OpenSSL by:
- Scanning for OpenSSL version strings
- Checking for OpenSSL function symbols without imports
- Detecting OpenSSL-specific code patterns
Why This Matters¶
OpenSSL has a history of critical security vulnerabilities. Static linking prevents easy patching.
OpenSSL Vulnerability History¶
| CVE | Severity | Impact |
|---|---|---|
| CVE-2014-0160 (Heartbleed) | Critical | Memory disclosure |
| CVE-2014-0224 | High | MITM attacks |
| CVE-2016-0800 (DROWN) | High | SSL/TLS downgrade |
| CVE-2022-0778 | High | Denial of service |
Static vs Dynamic Linking¶
| Aspect | Static | Dynamic |
|---|---|---|
| Update | Rebuild required | DLL replace |
| Deployment | Self-contained | Dependency |
| Patching | Slow (rebuild all apps) | Fast (one DLL) |
| Version control | Per-app | System-wide |
Patching Timeline¶
Vulnerability Disclosed
↓
Static Linking: Dynamic Linking:
├── Wait for rebuild ├── Update DLL
├── Retest ├── Restart apps
├── Redeploy └── Done (hours)
└── Done (days/weeks)
Exceptions¶
| Scenario | Acceptable? |
|---|---|
| Isolated environments | Maybe |
| Air-gapped systems | Review case-by-case |
| Version pinning needed | Use with monitoring |
Resolution¶
Use dynamic linking for OpenSSL:
# CMake - prefer shared libraries
find_package(OpenSSL REQUIRED)
target_link_libraries(myapp OpenSSL::SSL OpenSSL::Crypto)
# Ensure BUILD_SHARED_LIBS is set