LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

This is a type error

This is a type error

Posted Mar 9, 2007 3:32 UTC (Fri) by pimlott (guest, #1535)
Parent article: GnuPG signed message spoofing vulnerability

I have been tempted to post this response to many of the LWN security features, and it's kind of a rant, so I'm going to get it off my chest and not bring it up again. But I emphasize that it applies equally to a wide range of flaws, certainly to most cross-site scripting, SQL (or other sub-language) injection, command-line injection (like the Solaris telnet embarrassment), PHP variable insertion, and format string vulnerabilities. If developers were more aware of it, we might wipe out whole classes of problems that plague computer security today. (How's that for hype?)

This is a type error! Any reasonable type system, applied with a modicum of thought, would have prevented this flaw. Specifically, the verify function should be typed either to take a packet and return an output plus status, or to take a list of packets and return a list of outputs plus statuses (or something like that). If this were done, not only would the proper usage be more clear, but incorrect usage would fail harmlessly! But since gpg follows the unix approach of blob in, blob out, there's no way to catch the misuse.

The obvious objection is that gpg is a command-line interface, for sound technical reasons, so it can't be typed. We can imagine ways around this: Types could be added informally as documentation. This alone would clarify things for both gpg developers and users. Going further, the input and output could have an explicitly typed format that is checked when parsing. It breaks with tradition, but new thinking is called for here.

The fact that we use so many untyped (or badly typed) interfaces is a serious problem, causing us a whole lot of grief. We should recognize this, point it out when preventable flaws are discovered, and work to make typed interfaces more widely available and used. (Anybody following the next section of LWN knows that this approach is being applied to Linux with great results; too bad there aren't more Al Viros to go around.)

(Log in to post comments)

This is a type error

Posted Mar 9, 2007 6:45 UTC (Fri) by njs (subscriber, #40338) [Link]

Sing it, sibling!

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds