Abstract:This paper discusses the process of applying code audit to analyze the vulnerabilities of OpenSSL source codes and proposes some specific fixing advice for OpenSSL. Source level analysis mainly contains data flow analysis, dynamic taint analysis and path constraint solving proof method, etc. Because various code audit techniques adopt formal analysis on software architecture based on their own security requirements, they usually produce good effects when aiming at some particular scenes, but they lack universality. When auditing important mature projects like linux and xen, it is even impossible to exploit vulnerabilities efficiently with using these code audit techniques with high false rate. In this case, the collocation use of different code audit techniques is applied, as well as a new method of the security attributes definition from the bottom to improve the accuracy of software security requirements description and to avoid the defects in its audit. These methods increase audit efficiency, decrease false positive and process deep vulnerability exploitation while retaining the advantages of the high degree of automation of code audit.