This is a type error
Posted Mar 9, 2007 3:32 UTC (Fri) by pimlott
Parent article: GnuPG signed message spoofing vulnerability
I have been tempted to post this response to many of the LWN security features, and it's kind of a rant, so I'm going to get it off my chest and not bring it up again. But I emphasize that it applies equally to a wide range of flaws, certainly to most cross-site scripting, SQL (or other sub-language) injection, command-line injection (like the Solaris telnet embarrassment), PHP variable insertion, and format string vulnerabilities. If developers were more aware of it, we might wipe out whole classes of problems that plague computer security today. (How's that for hype?)
This is a type error! Any reasonable type system, applied with a modicum of thought, would have prevented this flaw. Specifically, the verify function should be typed either to take a packet and return an output plus status, or to take a list of packets and return a list of outputs plus statuses (or something like that). If this were done, not only would the proper usage be more clear, but incorrect usage would fail harmlessly! But since gpg follows the unix approach of blob in, blob out, there's no way to catch the misuse.
The obvious objection is that gpg is a command-line interface, for sound technical reasons, so it can't be typed. We can imagine ways around this: Types could be added informally as documentation. This alone would clarify things for both gpg developers and users. Going further, the input and output could have an explicitly typed format that is checked when parsing. It breaks with tradition, but new thinking is called for here.
The fact that we use so many untyped (or badly typed) interfaces is a serious problem, causing us a whole lot of grief. We should recognize this, point it out when preventable flaws are discovered, and work to make typed interfaces more widely available and used. (Anybody following the next section of LWN knows that this approach is being applied to Linux with great results; too bad there aren't more Al Viros to go around.)
to post comments)