|
|
Log in / Subscribe / Register

The OpenSSL "heartbleed" vulnerability

[Posted April 7, 2014 by corbet]

This page has extensive information on CVE-2014-0160, an information disclosure vulnerability in OpenSSL otherwise known as the "heartbleed bug." "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users." See also this OpenSSL advisory; version 1.0.1g contains the fix.
to post comments

The OpenSSL "heartbleed" vulnerability

Posted Apr 7, 2014 22:20 UTC (Mon) by drag (guest, #31333) [Link] (37 responses)

Ouch. That's a mean one. Time to update.. uh.. everything.

The OpenSSL "heartbleed" vulnerability

Posted Apr 7, 2014 22:21 UTC (Mon) by thoughtpolice (subscriber, #87455) [Link] (2 responses)

And don't forget to revoke your old certificates which were possibly stolen, either!

The OpenSSL "heartbleed" vulnerability

Posted Apr 7, 2014 22:27 UTC (Mon) by drag (guest, #31333) [Link]

That's part of 'everything'. Including pretty much all my passwords. I don't really keep very good track of this stuff. :(

Luckily I use mod_nss for my own personal web servers since I find it easier to use then OpenSSL. However there are lots of things that can't use it.

Oh well. So it goes.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 11:20 UTC (Tue) by fuhchee (guest, #40059) [Link]

... and switch to new private keys too.

The OpenSSL "heartbleed" vulnerability

Posted Apr 7, 2014 22:41 UTC (Mon) by nix (subscriber, #2304) [Link] (33 responses)

For a change, SSH is unaffected, since this is an SSL/TLS-layer bug, not a core crypto code bug.

For those of us not running important stuff on SSL, and only *using* a vulnerable library to connect via SSL, I don't think there's much we can do other than change any important passwords and pray. It's not like I *can* change e.g. the passwords used for my online banking, which if I connected to a well-enough-done fake banking site via, say, a DNS spoof, might have snooped my passwords: in one case the bank requires a paper letter to do it and promises only to implement the change within a month, and in another case only the bank can initiate a change (!)... so I think I'll just do what everyone else is likely doing, which is to deploy a fixed OpenSSL everywhere I can get to and just hope like hell.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 7:00 UTC (Tue) by oseemann (subscriber, #6687) [Link] (32 responses)

Simply installing the openssl update is not sufficient.

Keep in mind that you have to restart the services that are using openssl, because a copy of the shared library code resides in the address space of the processes that load it.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 7:50 UTC (Tue) by epa (subscriber, #39769) [Link] (31 responses)

...which is why the much-maliged "restart to finish installing updates" model used by Windows has something going for it. It is hard to be certain that an old, vulnerable piece of code has stopped running. The kernel could help by letting you track whether there are still open filehandles to a file (even once it has been unlinked from the directory tree) and whether any processes that previously opened that file (including as a shared library) are still running. Then package managers could make some attempt to fully upgrade away from a vulnerable library by restarting services, and if that isn't sufficient prompting the user to reboot.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 8:00 UTC (Tue) by moltonel (subscriber, #45207) [Link] (12 responses)

> The kernel could help by letting you track whether there are still open filehandles to a file (even once it has been unlinked from the directory tree) and whether any processes that previously opened that file (including as a shared library) are still running.

`lsof /usr/lib/libssl.so.1.0.0` will do exactly that. After you have updated, restart any of the programs listed by that command.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 9:52 UTC (Tue) by mgedmin (guest, #34497) [Link] (11 responses)

No. lsof /usr/lib/libssl.so.1.0.0 will show processes that already use the new version.
To see processes that are using the old, deleted file, use lsof|grep /usr/lib/libssl.so.1.0.0 and pay attention to inode numbers.

(On some of my Ubuntu 12.04 servers the FD column of lsof output said 'DEL' for old openssl and 'mem' for new. On other -- virtual -- servers lsof prefixed the filename with '(deleted)'.)

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 11:09 UTC (Tue) by moltonel (subscriber, #45207) [Link]

You did well to clarify. But I expected the command to be run before the update, not after.

While we're clarifying, the library is not always located there, so beware of false negatives. Your Distro May Vary.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 13:11 UTC (Tue) by Seegras (guest, #20463) [Link]

grep -l 'libssl.*deleted' /proc/*/maps | tr -cd 0-9\\n | xargs -r ps u

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 13:33 UTC (Tue) by furlongm (subscriber, #34572) [Link] (2 responses)

Ubuntu/Debian also have the checkrestart utility which should give you all the information you need about services that need restarting after any upgrade. It's part of the debian-goodies package.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 20:55 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (1 responses)

Fedora has needs-restart command which serves the same purpose. It is part of yum-utils package which is typically installed by default.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 20:56 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]

Err.. That should be needs-restarting.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 14:14 UTC (Tue) by flussence (guest, #85566) [Link] (5 responses)

I've been in the habit of running `lsof -n | grep deleted` after every package manager update to flush out stale libraries. It *usually* works well.

This time however, it came back blank on 2 different servers. I'm suspecting some change in the 3.13 kernel confused lsof's deleted-inode check, but whatever the cause it led to some late-late-night headaches.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 15:55 UTC (Tue) by mgedmin (guest, #34497) [Link] (4 responses)

Looks like lsof now reports deleted files by printing "DEL" in the "FD" column.

I didn't notice when this started happening.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 21:48 UTC (Tue) by ABCD (subscriber, #53650) [Link]

If I remember correctly, how lsof reports deleted files depends on both how the file was opened and how the file was deleted. I recall seeing (deleted) after the file name, (deleted) after the name of a file that had been renamed (via rename(2)) to the file that was actually opened (after the old file was opened, that is), and DEL in the FD column on different lines of the same output from the same run of lsof.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 4:01 UTC (Wed) by geuder (subscriber, #62854) [Link] (2 responses)

In Debian and derivals I run sudo lsof | grep "DEL\|deleted". Libraries are often DEL, executables are often (deleted), haven't understood the full rule behind it, nor am I 100% sure whether one could miss something. Fuse filesystems certainly, but maybe not many will have system libraries on fuse. But depending on the machine it gives you screenfuls of uninteresting stuff, so cautiously piping through a couple of grep -v might still be necessary.

SUSE always warns if anything deleted is in use and sudo zypper ps shows what it is. Not sure how well you can trust the results to be really complete in every wicked case.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 15:21 UTC (Wed) by wookey (guest, #5501) [Link] (1 responses)

I just discovered the 'checkrestart' tool in debian-goodies package which is extremely handy for telling you about all the programs running using libraries which have since been upgraded.

One of those tools you wish someone had told you about a decade ago.

Presumably Debian's insistence that openssl is not GPL-compatible reduces the exposure (to this bug) a little, because more services will be using nss and gnutls instead? A small crumb of aid in this mess.

The OpenSSL "heartbleed" vulnerability

Posted Apr 10, 2014 18:26 UTC (Thu) by nix (subscriber, #2304) [Link]

Yes, but that just meant you were bitten by the gnutls bug a few weeks ago. Nobody's coming out ahead in this :/

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 9:22 UTC (Tue) by diegor (subscriber, #1967) [Link] (6 responses)

In debian, but I suppose also in other distribution, installing library often require impacted services to be restarted automatically, without requiring to restart the whole server.

If you in doubt of old or deleted file still in use, you can use the old good lsof command.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 9:44 UTC (Tue) by viiru (subscriber, #53129) [Link] (3 responses)

> In debian, but I suppose also in other distribution, installing library
> often require impacted services to be restarted automatically, without
> requiring to restart the whole server.

In Debian this is done for pam and nss, no other libraries to my knowledge and certainly not OpenSSL.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 15:11 UTC (Tue) by edmonds42 (guest, #42670) [Link] (1 responses) 

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Enable checking for services that may need to be restarted
  * Update list of services to possibly restart

 -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 08 Apr 2014 10:44:53 +0200

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 23:35 UTC (Tue) by JoeF (guest, #4486) [Link]

Yes, they updated that.
The 1.0.1e-2+deb7u5 update didn't restart anything.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 15:53 UTC (Tue) by bpeebles (subscriber, #70111) [Link]

On my wheezy boxes, updating libssl prompted me to restart services using it (including nginx, Apache, ntp, and exim)

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 10:47 UTC (Tue) by Thue (guest, #14277) [Link]

On my Ubuntu 12.04 server, Apache was not automatically restarted, and using an online tester still showed as vulnerable until I manually restarted it.

The OpenSSL "heartbleed" vulnerability

Posted Apr 11, 2014 15:24 UTC (Fri) by ruairi_tokyo (guest, #3652) [Link]

If you monitor your systems with nagios/icinga there is a plugin called check_libs which returns a warning/error if any running processes are using old libs that have been updated...

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 10:59 UTC (Tue) by ms (subscriber, #41272) [Link] (5 responses)

> ...which is why the much-maliged "restart to finish installing updates" model used by Windows has something going for it. It is hard to be certain that an old, vulnerable piece of code has stopped running.

A properly set up NixOS installation would automatically restart the necessary services because the chain of dependencies from what's running back to libssl is known. Thus this issue isn't so much a linux issue as a distribution issue.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 12:18 UTC (Wed) by epa (subscriber, #39769) [Link] (4 responses)

Right. So NixOS combines the best of both approaches - you can be certain the vulnerable code is no longer running, but you don't have to do a hard restart.

My point is that given the choice between the brute force approach of rebooting the whole machine, and the current dominant Linux attitude of just updating the filesystem, you shouldn't assume that the latter is superior. If all Linux distributions were like NixOS then the problem would be solved.

But, BTW, will NixOS also handle running programs that link to libssl yet aren't packaged as part of the distribution?

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 12:35 UTC (Wed) by ms (subscriber, #41272) [Link] (3 responses)

> But, BTW, will NixOS also handle running programs that link to libssl yet aren't packaged as part of the distribution?

If you have a running program which is in some way generated by a "nix expression" then yes, that'll be handled (assuming when you do the openssl/libssl update, your custom expression is in scope).

Yes, you could say this amounts to packaging up everything you want to run with nix expressions, that is certainly true. OTOH, building a package with nix is vastly easier than building debs/rpms (not that I'm suggesting those are the only alternatives) as you have a dedicated language with built-in support for building (and even more importantly, composing) packages.

So yes, if you want nix to help you, you have to talk to nix on its own terms. But those terms turn out to be rather less onerous than most other linux packaging mechanisms.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 14:24 UTC (Wed) by mpr22 (subscriber, #60784) [Link] (2 responses)

OTOH, building a package with nix is vastly easier than building debs/rpms

I find it very hard to believe this statement, because I have recently built a Debian package, and it was really quite easy.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 15:19 UTC (Wed) by moltonel (subscriber, #45207) [Link] (1 responses)

> I have recently built a Debian package, and it was really quite easy.

YMMV. It can get cimplicated and hairy very quickly. And even the simplest package requires a lot of boilerplate. I maintain a handfull of debian packages for work, and they're a pain.

Compare that to Gentoo packages for example: a single ~15-lines file in the right folder, one command to register/check the file, and you're done. Package created. Complex packages don't bring more complexity than you'd have if installing by hand. It's easy enough that it doesn't feel like a drag to create a package for random stuff you want to install.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 16:07 UTC (Wed) by mpr22 (subscriber, #60784) [Link]

debian/rules (the part liable to cause significant pain) is a three-liner for the things I've made packages of, because they have well-behaved configure scripts and Makefiles. I find myself wondering what the things you've been packaging are doing messily.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 14:02 UTC (Tue) by drag (guest, #31333) [Link] (1 responses)

> "restart to finish installing updates" model used by Windows has something going for it.

It's a huge hammer that smooths out a unknowably large amount of issues.

Linux users really shouldn't turn their noses up at such simple and effective solutions. Especially when it comes to updating core system libraries.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 17:58 UTC (Tue) by rahvin (guest, #16953) [Link]

The thing is the OSSL team recommends a restart just in case you miss a service that's still loaded using the old library because the severity of this error allows someone to read out your entire memory in chunks.

Unless you have a system that absolutely cannot be restarted because of downtime you should just do a shutdown -r now after the update and be done with it. It's just a couple minutes to guarantee you aren't running the old library and it would probably take far longer to pick through inodes to find everything linked.

It's one doozy of an error.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 18:01 UTC (Wed) by mbt (guest, #81044) [Link] (2 responses)

That "restart to finish updates" thing in Windows doesn't happen every time you update something! If an update does not require replacing an in-use file (executable or not), the update goes through without requring a restart. The thing is that it usually happens that the update really *is* replacing an opened file, so "reboot-reboot" is a song that Windows users often have to sing.

The difference between Windows and Linux in this regard comes for the different ways they treat open files--not because of the inherent design of the update process. In Windows, opened files are locked from deletion, but in Linux, it is perfectly acceptable to have an inode's link count go to zero while a file is still open.

Still, for a serious systemic bug like that heartbleed bug, we would be well do do that reboot.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 19:24 UTC (Wed) by dlang (guest, #313) [Link] (1 responses)

> That "restart to finish updates" thing in Windows doesn't happen every time you update something!

it used to. I believe that's what was being referred to.

The OpenSSL "heartbleed" vulnerability

Posted Apr 10, 2014 10:01 UTC (Thu) by chojrak11 (guest, #52056) [Link]

>> That "restart to finish updates" thing in Windows doesn't happen every time you update something!
> it used to. I believe that's what was being referred to.

These times are long gone with Windows 98. I remember rebooting after changing network adapter's IP address.I also remember reinstalling 98 as the quickest and easiest troubleshooting tool :-) Now restarts are rare, they're needed mostly to update files that are locked by running processes. As somebody already mentioned, in Windows locked files cannot be deleted or moved to different directory, and sometimes they cannot be renamed. Windows version >= XP/2003 uses technique similar to ldd/lsof to find processes that keep locks to a file. So you know that if you can delete the library file, you can be sure that it is no longer being used, and after replacing the file, buggy code won't execute anymore. Thus, this filesystem locking semantic is not that bad :-)

The OpenSSL "heartbleed" vulnerability

Posted Apr 7, 2014 23:38 UTC (Mon) by yokem_55 (subscriber, #10498) [Link]

This one might be more aptly called "gutpunch". Ugh.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 1:31 UTC (Tue) by csamuel (✭ supporter ✭, #2624) [Link] (6 responses)

Debian bug for this CVE filed and fixed in 36 minutes.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 4:02 UTC (Tue) by garrison (subscriber, #39220) [Link] (5 responses)

But yet I don't see those versions at https://packages.debian.org/sid/openssl . How should Debian users upgrade ASAP?

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 4:11 UTC (Tue) by mtaht (guest, #11087) [Link]

I did an update of the beaglebone black (armhf) a few minutes back and a backported patch was in there. At least, it was in the source package...

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 4:33 UTC (Tue) by csamuel (✭ supporter ✭, #2624) [Link] (2 responses)

I don't know about 'sid' but Wheezy packages are already on the mirrors. We upgraded the few of ours that were affected (not publicly visible) from the Australian mirrors this morning.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 6:15 UTC (Tue) by lambda (subscriber, #40735) [Link]

Unstable (sid) and testing (jessie) don't get security updates.

That means that while the new package may be uploaded and accepted into the archive, it may take a day or more for it to propagate to your mirror via the normal mirroring process. Security updates go through an expedited rollout and mirroring process, but that doesn't apply to testing and unstable.

If you want to find it as soon as possible, and you're on Jessie or Sid, it's probably best to look at the push-primary mirrors, like mirrors.kernel.org. If you normally update from something like ftp.us.debian.org, you may get directed to a push-secondary or leaf mirror, which may not update as often.

For stable releases, you can pull from security.debian.org which will direct you to an up-to-date repository that bypasses the normal mirroring process. For testing/unstable, be prepared to hunt around a little before you can find a mirror that's up to date.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 18:00 UTC (Tue) by rahvin (guest, #16953) [Link]

Wheezy packages were available at 7:30am Mountain this morning as that's when I updated my server. I believe they went live sooner than that.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 8:32 UTC (Tue) by job (guest, #670) [Link]

It lists them now.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 7:07 UTC (Tue) by gvegidy (guest, #5063) [Link] (3 responses)

The heartbleed.com site has nice information. But one question is not answered: can clients be attacked by a malicous server or can only servers be attacked by malicous clients?

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 7:34 UTC (Tue) by TRS-80 (guest, #1804) [Link]

I saw elsewhere (reddit?) that clients can be attacked by malicious servers. Fortunately most browsers don't use OpenSSL (Android does has heartbeat disabled), CLI programs OTOH are likely a problem.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 8:08 UTC (Tue) by moltonel (subscriber, #45207) [Link] (1 responses)

> When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

Anybody can connect to anybody, steal the private key, decode past and present streams, and impersonate (either to perform a man in the middle or simply to get authenticated).

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 8:38 UTC (Tue) by Otus (subscriber, #67685) [Link]

> decode past and present streams

Only those past streams using a cipher suite without forward secrecy. With forward secrecy past streams will remain undecodable and even present/future streams will require a man-in-the-middle attack if you only know the long term key.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 7:48 UTC (Tue) by ibukanov (subscriber, #3942) [Link]

This could be one of the most costly software bugs so far. And it will be end-users, even those with expensive support contracts, not vendors, who pay the price.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 7:59 UTC (Tue) by marcH (subscriber, #57642) [Link] (26 responses)

Can't help but think of this: "OpenSSL is written by monkeys"
https://www.peereboom.us/assl/assl/html/openssl.html

"It is, bar none, the worst library I have ever worked with. I can not believe that the internet is running on such a ridiculous complex and gratuitously stupid piece of code."

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 9:58 UTC (Tue) by mgedmin (guest, #34497) [Link] (4 responses)

Ironically that site uses a self-signed SSL certificate.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 15:22 UTC (Tue) by drag (guest, #31333) [Link] (3 responses)

Right, because without Verizon's seal of approval how else am I suppose to know that the website I am randomly using read-only is secure or not?

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 19:25 UTC (Tue) by dlang (guest, #313) [Link] (2 responses)

well, why are you bothering with encryption if it's read-only?

If you care enough to encrypt, why don't you care enough to know that you aren't talking to a MITM that's decrypting everything?

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 2:32 UTC (Wed) by drag (guest, #31333) [Link] (1 responses)

> well, why are you bothering with encryption if it's read-only?

I haven't the foggiest.

I expect that, like me, the guy uses his own private CA for stuff. I find it very valuable to create my own CA for my own personal websites. It won't mean much to anybody else, but for everybody else everything is read-only.

> If you care enough to encrypt, why don't you care enough to know that you aren't talking to a MITM that's decrypting everything?

Getting a public CA to sign a cert really doesn't guarantee that. At least not very well any more. Too many 'trusted' CAs.

It's certainly better then nothing, but why care about a website like this? If he wanted my credit card information I wouldn't give it to him even if it was a legit cert.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 2:35 UTC (Wed) by drag (guest, #31333) [Link]

> I haven't the foggiest.

Well actually now that I think about it.

Using https is a good way to be able to read the memory of every computer that connects to your webserver. At least for the time being.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 10:04 UTC (Tue) by nmav (guest, #34036) [Link] (13 responses)

There will always be someone on the internet bashing any project (and doing nothing to improve it).

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 10:33 UTC (Tue) by marcH (subscriber, #57642) [Link] (12 responses)

Just for the record: this is far from being the only such comment about OpenSSL. It maybe the only one trying to be vaguely funny but definitely not the only one over all.

In fact, if you search for this one you'll find plenty of other, informed-looking comments.

My (very limited) experience goes in the same direction.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 11:01 UTC (Tue) by ms (subscriber, #41272) [Link] (11 responses)

I understand there is a fair amount of work going on to refactor and clean the library up.

Arguably though, the world needs to move on from crypto protocols designed in the 90s.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 11:18 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (10 responses)

That depends. Encryption and signature algorithms are OK - we have somewhat better ciphers now (like Curve25529 family) but RSA is still good.

Everything else, though, is a stinking mess. Certificate management is a black art - nobody knows how to parse ASN.1, TLS/SSL are stupidly complicated and are also built on top of ASN.1

A simple session negotiation algorithm with simple signed JSON documents for certificates is sorely needed.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 11:22 UTC (Tue) by ms (subscriber, #41272) [Link]

> A simple session negotiation algorithm with simple signed JSON documents for certificates is sorely needed.

Quite. The hilarious fact is that right now, if you're writing some software and you want crypto between agents across networks and you use something like libsodium and don't need any sort of interop with historical clients, then you're more likely to get it right, than if you use openssl!

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 13:13 UTC (Tue) by moltonel (subscriber, #45207) [Link] (7 responses)

ASN.1 isn't that bad, really. And it performs a lot of validation that would be very error-prone to do for json (on top of having to be reimplemented by all users). And it can be smaller and more performant too. If you're looking for something modern and similar, protobuf is a much better bet than json (although not a necessity IMHO).

What really could be simplified is the grammar, which is indeed more complex than necessary. But please don't confuse a message's grammar and its serialisation.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 13:19 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

Speed of JSON parsing is more than sufficient even for high-traffic websites. And because it's so simple and human-readable, its benefits far outweigh its performance hit.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 14:07 UTC (Tue) by moltonel (subscriber, #45207) [Link] (3 responses)

I agree that parsing speed is just a nice bonus, not the main argument (but I suspect Google would disagree, seeing the amount of connection time optimisation work they did).

Similarly, packet size is just a bonus. I have yet to see any serialization beat ASN.1 UPER with a well-thought grammar, but the difference with protobuf for example is minimal.

The main argument is that with ASN.1, a huge amount of validation comes for free. You know that this integer won't overflow its grammar-imposed bounds. Or that this sequence contains all the required fields.

You can do all the same checks with a grammar-less format like json, but you're duplicating code, adding bugs, and running yet again slower. I've witnessed first-hand the amount of extra work needed on a project that was designed with protobuf in mind and later changed to use msgpack. We had valid reasons for the change, but were not happy about it.

Json is the best tool for many jobs out there. But for a security-focused protocol the whole Internet depends on... I'll pass.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 14:31 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

A JSON-encoded certificate should only need a handful of fields, validating them by hand is not a problem. And as far as I remember, there were several critical bugs in ASN.1 validation code itself in Windows SSL and in OpenSSL.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 14:50 UTC (Tue) by moltonel (subscriber, #45207) [Link] (1 responses)

I'd be very happy to see a simple grammar for certificates and PKI gain some ground, but I'm not holding my breath. I fear that'll never happen (since there are so many actors with their pet use cases), but I'd love to be proven wrong.

A critical validation bug is just as bad for json as it is for asn1. The hope is that in the case of asn1, more validation code is shared between projects and therefore audited.

I won't pretend that asn1 is a panacea. It is warty and designed by comitee. Some parts of it are stupidly complicated. But it still has compelling advantages over json for this use case. Push for thrift or protobuf instead, and it'll be a more interesting debate.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 19:54 UTC (Tue) by Lennie (subscriber, #49641) [Link]

If you like the flexibility of JSON and want more efficiency there is also:

http://bsonspec.org/

Never used it personally, so I can't judge it.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 1:33 UTC (Wed) by ras (subscriber, #33059) [Link] (1 responses)

There is no real comparison between ASN.1 and JSON. ASN.1 is a schema + multiple representations. There isn't a JSON representation for ASN.1, but there could be.

One ASN.1 representation particularly suited to crypto is DER, which allows only one way to write a given data structure. JSON doesn't have anything remotely equivalent.

Ironically OpenSSL doesn't enforce DER rules when reading DER. This was one of the sources of bitcoin's malleability problems.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 2:51 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

OpenSSL's flexibility with regard to DER parsing was a necessary part of a Secure Boot vulnerability[1]. I remain unimpressed.

[1] fixed before (as far as I know) anyone actually shipped it. Short version: a correctly malformed certificate would be validated by OpenSSL, but would trigger a fallback case that returned True even if the chain of trust didn't exist because the support code assumed that the certificate would be represented in the shortest possible form. You did need 4GB of RAM for it to work, but...

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 16:45 UTC (Tue) by jhoblitt (subscriber, #77733) [Link]

FYI - The IETF is currently working on several json pki and signed json messages standards.

A few examples:

http://tools.ietf.org/html/draft-miller-jose-pkix-key-01
http://tools.ietf.org/html/draft-ietf-jose-json-web-signa...

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 12:16 UTC (Tue) by danielpf (guest, #4723) [Link] (4 responses)

>> Can't help but think of this: "OpenSSL is written by monkeys"

After Edgard Snowden one has to be suspicious of malice first, not stupidity.


The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 15:37 UTC (Tue) by drag (guest, #31333) [Link]

Unfortunately human stupidity knows no bounds.

In then end, however... when maliciousness and incompetence become indistinguishable then so do the consequences in the long run. Eventually it will become malicious unless corrected.

The OpenSSL "heartbleed" vulnerability

Posted Apr 10, 2014 7:40 UTC (Thu) by marcH (subscriber, #57642) [Link] (2 responses)

> After Edgard Snowden one has to be suspicious of malice first, not stupidity.

Surprisingly, greed is always missing in this comparison, even though it's probably the most common cause.

" Ship it, ship it, ship it,...
- But... it's missing two important features, no code review happened yet, and we have 5 bugs without any root cause yet?"
- I don't care, ship it, ship it, ship it..."

The OpenSSL "heartbleed" vulnerability

Posted Apr 10, 2014 14:54 UTC (Thu) by mpr22 (subscriber, #60784) [Link]

That behaviour pattern is what I tend to think of as "stuevilpid".

The OpenSSL "heartbleed" vulnerability

Posted Apr 10, 2014 16:37 UTC (Thu) by madscientist (subscriber, #16861) [Link]

This happens, to be sure, but it's not always so straightforward. There's also the fact that the new version, while it does have known bugs, is still far better in important ways than the currently-released version. Do you sentence your users to old broken software rather than release newer, better, but still somewhat broken software? Software is NEVER done, so if you always wait for everything to be fixed you never get the next release out there.

Choosing when to release software is a balancing act, not an absolute line.

However I do agree that you should never release before code reviews are complete :-).

The OpenSSL "heartbleed" vulnerability

Posted Apr 10, 2014 4:56 UTC (Thu) by russell (guest, #10458) [Link] (1 responses)

ridiculous complex and gratuitously stupid is a pre-requisite for adoption. Have you seen HTML and javascript ???

The OpenSSL "heartbleed" vulnerability

Posted Apr 11, 2014 6:36 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Hmm? Those are easy! Just look at what you can throw at them and still have it work (especially HTML). For JS, just use fuckit.js and all your problems just go away ;) .

yet another proof...

Posted Apr 8, 2014 11:29 UTC (Tue) by HelloWorld (guest, #56129) [Link] (164 responses)

... that secure software cannot be written in C, period. It's time that people grok that and stop using it.

yet another proof...

Posted Apr 8, 2014 11:49 UTC (Tue) by job (guest, #670) [Link] (71 responses)

A lot of well written software by disciplined authors, such as postfix and qmail, disagree with you.

Many modern languages include runtimes or large standard libraries which you have historically been much worse off using. Sometimes the devil you know is better than the one you don't...

yet another proof...

Posted Apr 8, 2014 12:10 UTC (Tue) by aggelos (subscriber, #41752) [Link]

A lot of well written software by disciplined authors, such as postfix and qmail, disagree with you.
Yes, we can all rely on people being infallible (and then blame the programmers when they mess up) or we can decide that a language needs to be memory safe, which means one only needs to get things right in one place (namely, the compiler). Doesn't the latter seem more like sound engineering to you too?
Many modern languages include runtimes or large standard libraries which you have historically been much worse off using. Sometimes the devil you know is better than the one you don't...
I don't see how the standard library being large makes a difference here. What matters is the safety of the parts of it you make use of, no? Also, I think your skepticism regarding the runtime is not warranted. After all, by using a memory safe language and trying to minimize the number of unsafe libraries in use, you eliminate a large class of serious bugs from most parts of the codebase you rely on. Sure, there can be such bugs in the language runtime, but in the end the amount of code that might introduce such bugs is still way smaller (for reasonably-sized programs).

yet another proof...

Posted Apr 8, 2014 12:18 UTC (Tue) by HelloWorld (guest, #56129) [Link] (69 responses)

> A lot of well written software by disciplined authors, such as postfix and qmail, disagree with you.
It's *not* a lot. It's maybe 1 in 100 or 1 in 1000 programs written that carfully. We know Linux isn't, and we now know that one of the most security-critical libraries isn't. And people like you who *still* refuse to acknowledge reality are part of the problem.

yet another proof...

Posted Apr 8, 2014 12:40 UTC (Tue) by anselm (subscriber, #2796) [Link] (8 responses)

OK, so there's a problem. Great. Who is going to write an MTA in a »secure« language that is at least as secure, flexible, standards-compliant, and high-performing as Postfix, and when is it going to be ready?

yet another proof...

Posted Apr 8, 2014 12:52 UTC (Tue) by aggelos (subscriber, #41752) [Link] (1 responses)

You, me, everyone. Do you see an alternative? Remember, in a game of whack-a-mole, the side with the most resources wins. Making it so that programmers cannot even express whole classes of bugs, changes the playing field (it's not enough, but it's a start).

Postfix is not even that interesting (saying that with my internet-user hat on), as communication integrity, confidentiality, etc is something you would defend at the endpoints anyway. Currently, I'm more concerned about the fact that most IRC clients (even "new" ones) are still written in C or C++... Same goes for mail clients, voip software and whatnot. (Browsers need a post of their own).

yet another proof...

Posted Apr 8, 2014 20:03 UTC (Tue) by Lennie (subscriber, #49641) [Link]

Basically all mainstream browser engines are written in C++.

Mozilla is now working on Servo, written in their new Rust programming language. To make it secure and to be able to make it more parallel.

yet another proof...

Posted Apr 8, 2014 13:14 UTC (Tue) by martin.langhoff (subscriber, #61417) [Link] (2 responses)

What is this "secure language" thing people are talking about? What is its runtime/stdlib written in?

All this discussion is only sustainable while we're handwaving. The moment you name your candidate for "secure language", everyone can see the Emperor's clothing. Or not see it, I guess.

yet another proof...

Posted Apr 8, 2014 13:38 UTC (Tue) by aggelos (subscriber, #41752) [Link]

There's no such thing as a "secure" language, obviously (convenient strawman though). All the language can do is a) limit expressivity so that you can't express certain classes of bugs b) enable you to get the compiler to statically check certain properties of the program for you.

An example of the former would be things like not allowing pointer arithmetic, requiring initialization before use and the like. You know, memory safety.

The latter means you can use e.g. a powerful type system to make sure that inputs are validated, errors conditions are handled and similar, so that the compiler will not let you break your own rules. Again, this is not something that magically removes all bugs; it just means you can have tools that help you not introduce them in the first place (see also https://lwn.net/Articles/589389/).

What is its runtime/stdlib written in?

This has already been addressed, I think (https://lwn.net/Articles/593752/)

yet another proof...

Posted Apr 8, 2014 13:42 UTC (Tue) by HelloWorld (guest, #56129) [Link]

> What is this "secure language" thing people are talking about? What is its runtime/stdlib written in?
Saying that a memory-safe language is useless because the runtime is written in an unsafe language is like saying that we don't need memory protection because the kernel may have bugs.

yet another proof...

Posted Apr 8, 2014 13:39 UTC (Tue) by HelloWorld (guest, #56129) [Link] (2 responses)

So your point is that it's a good idea to write software in C because there's a really good MTA written in that language?

yet another proof...

Posted Apr 8, 2014 14:59 UTC (Tue) by anselm (subscriber, #2796) [Link] (1 responses)

It isn't necessarily a bad idea if you can pull it off. Wietse Venema apparently can. Postfix has been around for a long time and so far hasn't had significant security issues. It is also one of the fastest and most capable MTAs around. There is no apparent reason to replace Postfix with something else written in a »more secure« language, especially because somebody would have to come up with »something else« in the first place. (That somebody would not just have to be clever about security, but also clever about MTAs, and there aren't all that many people like that around.)

Which is not to say that new software shouldn't be written in a language other than C. We want authors of security-critical software to pay appropriate attention to potential security problems. If they do write their software in C (for which there may be valid reasons), they will have to pay more attention to more things than perhaps if they use some other language, so that may be a hassle. However, so far there is no »magic bullet« programming language that will make it unnecessary for people to pay any attention at all. And if people are incapable of paying appropriate attention to security problems, the language they're using isn't really that important in the end, because no matter which language they're using, their code will have problems. There really is no substitute for paying attention.

yet another proof...

Posted Apr 8, 2014 18:10 UTC (Tue) by aggelos (subscriber, #41752) [Link]

It isn't necessarily a bad idea if you can pull it off. Wietse Venema apparently can. Postfix has been around for a long time and so far hasn't had significant security issues. It is also one of the fastest and most capable MTAs around. There is no apparent reason to replace Postfix with something else written in a »more secure« language, especially because somebody would have to come up with »something else« in the first place. (That somebody would not just have to be clever about security, but also clever about MTAs, and there aren't all that many people like that around.)

Isn't this backwards? You can maybe point to a handful of nontrivial pieces of software written in C where people have at least looked for memory safety errors and no glaring ones have been found. This would be a good argument against a claim like "It's impossible to write memory-safe software in C".

However, the claim being made is closer to "C predominantly results in programs that cannot be trusted not to have memory safety violations". Exhibit A: every C program ever written, except whatever you presented above.

Note how a memory-safe language gives you a much better idea of how likely the parts of a program written in it are to contain memory safety violations. Namely, there will be none. That does not mean that execution of such code cannot lead to memory safety violations; it simply means that your auditing should focus on the programming language implementation (compiler and runtime) and whatever code you pull in.

Engineering wise, what is the responsible way to approach the problem of confidently writing software that is memory-safe?

Which is not to say that new software shouldn't be written in a language other than C. We want authors of security-critical software to pay appropriate attention to potential security problems. If they do write their software in C (for which there may be valid reasons), they will have to pay more attention to more things than perhaps if they use some other language, so that may be a hassle. However, so far there is no »magic bullet« programming language that will make it unnecessary for people to pay any attention at all.

This is such an obvious strawman, I think I can see crows around the neighborhood flying away...

And if people are incapable of paying appropriate attention to security problems, the language they're using isn't really that important in the end, because no matter which language they're using, their code will have problems. There really is no substitute for paying attention.

The objective is not to magically make subpar coders experts (though a language or framework that encourages good programming practices does help people get started in that direction).

The objective is to give competent programmers the tools that will enable them to write software that eliminates whole classes of bugs that are directly exploitable, hence, write more secure software. Some other classes of bugs are harder to eliminate, but this would still be (desperately needed) progress.

yet another proof...

Posted Apr 8, 2014 12:55 UTC (Tue) by khim (subscriber, #9252) [Link] (15 responses)

It's *not* a lot. It's maybe 1 in 100 or 1 in 1000 programs written that carfully.

So what? If you'll take a look on programs written is presumably “safe” languages like Python, Ruby or PHP the track record is similar.

One can write insecure program in any language and since security is not something people pay for we have what we have. Once language becomes popular enough most programs written in it become crap, it has nothing to do with properties of language itself.

yet another proof...

Posted Apr 8, 2014 13:25 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Really? Most bugs in PHP or Python software are either SQL-injection bugs or much more rarely failed sanitation bugs in command-line access.

yet another proof...

Posted Apr 8, 2014 14:01 UTC (Tue) by job (guest, #670) [Link] (1 responses)

Oh, I wish. On top of all the web application bugs, where SQL injections are just the tip of the iceberg, there is an endless stream of bugs in the runtimes. PHP which you specifically mentioned has had plenty. Just look for CVE numbers in the release notes. There are still botnets exploiting the PHP-CGI bug which was around for countless years with no one bothering an audit.

Then there are all the protocol parsers available in the standard libraries of PHP/Python/Perl which may or may not be official parts of the language, but is still distributed with them (often forked and outdated versions of course). Probably every modern language with a big standard library shipped with a broken XML parser at some point (perhaps with the exception of Go, which is still quite young).

There are also all kinds of strange interaction bugs where the underlying software behaves in an unexpected way which causes problems. Just look at all the Python and Ruby software which gladly accepts code injections via YAML. Any application written in Rails over the last few years would have been bitten by these things not once but many times over. Even Github and Facebook which employs many committers to these projects have fallen over pretty much every time someone dedicates themselves to it. Google's web fronts are memory unsafe C++ and they have fared much better.

In summary: Yes, there are plenty of problems with C but there are even bigger problems with many of the proposed replacements. The answer is, as always, "it's complicated". Secure software needs a rigorous development process and someone needs to care about it, no matter what language or tools you choose.

yet another proof...

Posted Apr 8, 2014 14:19 UTC (Tue) by aggelos (subscriber, #41752) [Link]

Oh, I wish. On top of all the web application bugs, where SQL injections are just the tip of the iceberg, there is an endless stream of bugs in the runtimes. PHP which you specifically mentioned has had plenty. Just look for CVE numbers in the release notes. There are still botnets exploiting the PHP-CGI bug which was around for countless years with no one bothering an audit.

[Isn't there a Godwin's law for PHP? :-)] I don't see how that contradicts the claim that memory-safe languages are what we need to use if we want to avoid such bugs (SQL injections and the like are a different class of bugs. Incidentally, the PHP-CGI bug wasn't a memory corruption bug either).

Sure, the C runtime needs special attention. This is still a considerable impromevement versus an arms race where you have to audit a mountain of ever-evolving C code and the opponents only need one exploitable vulnerability to get what they want.

yet another proof...

Posted Apr 8, 2014 13:57 UTC (Tue) by HelloWorld (guest, #56129) [Link] (2 responses)

I don't consider Ruby, Python and especially not PHP safe languages as they lack a static type system. But a bug like the one just found in OpenSSL would be impossible there due to bounds checking. And while code execution attacks are possible via features like eval, that's nowhere near as likely as in C where every out-of-bounds array write might result in code execution.

> One can write insecure program in any language and since security is not something people pay for we have what we have. Once language becomes popular enough most programs written in it become crap, it has nothing to do with properties of language itself.
So because we might never solve the problem completely we shouldn't even try to eliminate bug classes that we've known about for 40 years? I disagree.

yet another proof...

Posted Apr 8, 2014 17:13 UTC (Tue) by martin.langhoff (subscriber, #61417) [Link] (1 responses)

oh c'mon, name at least _one_ language (and associated runtime) you consider safe. You can name the ones you don't consider safe. Name the safe ones.

If proponents can't name a language and runtime, how can the efforts to rewrite network services ever begin?

~

There is no silver bullet.

Some languages used in certain ways, paired with well-implemented runtimes will probably reduce the likelihood of some sorts of bugs, the impact of some bugs. A few improvements here, a few improvements there. Now, wny runtime you pick will have its share of nasty bugs to offset some of the gains; any set of design/code patterns will end up containing flawed patterns that need to get fixed up when you find they misfire.

yet another proof...

Posted Apr 9, 2014 14:53 UTC (Wed) by HelloWorld (guest, #56129) [Link]

http://lwn.net/Comments/593935/

yet another proof...

Posted Apr 8, 2014 14:07 UTC (Tue) by dgm (subscriber, #49227) [Link] (8 responses)

This. I can assure you I can write unsafe code in any language you gave me.

The thing is, to write secure programs you have to do it *carefully*. The language does help up to a point (doing it in assembly is a torture, for example) but only so much. And the truth is that "C" is *still* really close to the sweet spot in the trade-off of convenience/performance.

yet another proof...

Posted Apr 8, 2014 14:48 UTC (Tue) by aggelos (subscriber, #41752) [Link] (2 responses)

This. I can assure you I can write unsafe code in any language you gave me.

You cannot write memory-unsafe code in any number of memory-safe languages, except by exploiting a bug in the compiler or runtime.

The whole point is that the language limits expressivity exactly so as to be able to prove statically that your program is memory safe (which BTW is much stronger than the kind of assurances you get out of runtime tools like valgrind, which is limited by coverage as well as other factors).

I think the point being made is quite different to the one you're arguing against.

yet another proof...

Posted Apr 10, 2014 9:46 UTC (Thu) by dgm (subscriber, #49227) [Link] (1 responses)

The point being made is that C is worse than other languages for writing "safe" applications. This is false, and there are millions of security bugs in programs written in memory "safe" languages to attest it.

Safety is a function of the coder, not the language.

yet another proof...

Posted Apr 10, 2014 12:58 UTC (Thu) by HelloWorld (guest, #56129) [Link]

> The point being made is that C is worse than other languages for writing "safe" applications. This is false, and there are millions of security bugs in programs written in memory "safe" languages to attest it.
A memory safe language alone doesn't make a safe program, but saying that it's not an improvement is just as wrong a thing to say. The “millions of security bugs” you mention don't prove anything at all. In order for the number of bugs to mean anything, you need to compare it to something, like the number of bugs that would have happened had the same program been written in C, and you need to take their respective severities into account.

Besides, C not only suffers from the lack of mitigation techniques such as bounds checking, but also from its almost complete lack of powerful abstraction facilities. It's not possible to express basic algorithms and data structures in a generic, type-safe way, something that Ada did 30 years ago. So people write this stuff on their own over and over and over again because they can't sensibly reuse other peoples code and of course they're going to fuck it up!

So yes, in a certain way, I actually agree with you: safety is a function of the coder. Because a good coder chooses his tools wisely and doesn't put up with 40-year-old crap that sucked even by the standards of then (cf. Algol).

yet another proof...

Posted Apr 8, 2014 14:49 UTC (Tue) by HelloWorld (guest, #56129) [Link] (4 responses)

> And the truth is that "C" is *still* really close to the sweet spot in the trade-off of convenience/performance.
That's not only not right, it's not even wrong! Who defines what that “sweet spot” is supposed to be?

The truth is that even simple algorithms and data structures *cannot* be expressed in C in a generic and type-safe way, and instead of acknowledging that and using a decent language or at least improve C, people work around that using the preprocessor that should have been shot in the head 30 years ago. “convenient” is just about the last word I could come up with to describe C.

yet another proof...

Posted Apr 11, 2014 7:25 UTC (Fri) by dgm (subscriber, #49227) [Link] (3 responses)

Wonderful, don't use it then. Isn't it great that we have so many options to chose from?

yet another proof...

Posted Apr 11, 2014 12:24 UTC (Fri) by HelloWorld (guest, #56129) [Link] (2 responses)

Me not using it doesn't solve the problem of everybody else using it, messing it up and inflicting their broken software upon the world. I'm just trying to raise awareness and to get people to step back and realize that 40 years later, we really can do better than C.

yet another proof...

Posted Apr 14, 2014 13:55 UTC (Mon) by dgm (subscriber, #49227) [Link] (1 responses)

No language will prevent "messing it up and inflicting their broken software upon the world."

And often enough, we can hardly do better than C. Despite of 40 years of (failed) attempts, it's so darn useful.

yet another proof...

Posted Apr 14, 2014 17:29 UTC (Mon) by HelloWorld (guest, #56129) [Link]

> No language will prevent "messing it up and inflicting their broken software upon the world."
As I stated already here and elsewhere: bounds checking is a mitigation technique.

> And often enough, we can hardly do better than C.
99% of the time we can.

yet another proof...

Posted Apr 8, 2014 16:56 UTC (Tue) by madscientist (subscriber, #16861) [Link] (41 responses)

I don't see how this discussion is going anywhere. In order to be useful one can't just argue against something, one also has to argue _for_ something. No one can disagree that, _all other things being equal_, it's better to write code, especially security-related code (but really, how much code these days has NO security implications?) in a safer language than C. But that's an utterly meaningless statement since it's never the case that all other things are equal. Therefore it's a trade-off, and you can't argue about trade-offs between C and "some other better language" that's not actually defined.

I've programmed in a LOT of languages over the years and I agree that C has a lot of issues, so I'm genuinely curious what alternatives we realistically have today.

Let's please remember that the choice of language for a core _library_ like this cannot dictate that all software _using_ the library must also be rewritten in that same language. C, like it or not, is the lingua franca of programming languages: any alternative that looks to replace it must be similarly non-partisan.

yet another proof...

Posted Apr 8, 2014 18:33 UTC (Tue) by aggelos (subscriber, #41752) [Link] (40 responses)

I don't see how this discussion is going anywhere. In order to be useful one can't just argue against something, one also has to argue _for_ something. No one can disagree that, _all other things being equal_, it's better to write code, especially security-related code (but really, how much code these days has NO security implications?) in a safer language than C. But that's an utterly meaningless statement since it's never the case that all other things are equal. Therefore it's a trade-off, and you can't argue about trade-offs between C and "some other better language" that's not actually defined.

Precisely. And the tradeoff to be made needs to be discussed in the context of a specific problem. Hence, no person who is seriously looking at solving problems can just say "Oh, you should just use language X / framework Y everywhere". (Though I'm guessing it would be pretty convenient if someone did that, as then they can be pointed to some case where language X would indeed be a bad choice).

So let's talk about it in the context of a specific example. I think writing an IRC client in C these days is (figuratively) criminal. Obviously, this is an example I'm choosing to make my case :-)

Similar (although a bit weaker) arguments could be made for other kinds of programs that run on user desktops (mail client, IM client, etc) and are network-facing. The arguments would be weaker, for example, because there are existing libraries one would want to use (there are arguments against that, but I'd rather not digress).

Naturally, there are cases where the tradeoff is harder to justify. E.g. as others have pointed out, postfix is pretty low on the list of things to replace. But pretending that there are no tradeoffs to be made (as has been happening in this thread) is, to put it mildly, not useful.

yet another proof...

Posted Apr 8, 2014 19:32 UTC (Tue) by madscientist (subscriber, #16861) [Link] (39 responses)

Well, I think it's pretty clear from the topic of this article that we're not talking about IRC clients, or email clients or IM clients or whatever. Personally I couldn't give two hoots and a nickel what language my IM client is written in.

We're talking here, clearly, about system-level libraries such as openssl. The statement under consideration is that C should never be used for anything (related to security). That implies that there _is no problem space anywhere_ (related to security) where there is not a better alternative language than C. So, (and again I'm not trying to be argumentative) what languages _should_ we be considering when writing the next, more secure openssl-type library?

And, importantly, what do we have to give up to make that change?

Personally I'm in the "pox in its house" camp when it comes to openssl; I've found it a PITA every time I've had to deal with it. I would LOVE for something else to take its place and if that something is inherently more secure by virtue of being written in a "more secure" language, so much the better.

Now is the perfect time for a real conversation about this, so let's get real.

yet another proof...

Posted Apr 8, 2014 23:14 UTC (Tue) by HelloWorld (guest, #56129) [Link]

Ada is a viable alternative today. It can be called from C, doesn't need a garbage collector, GNAT is mature and well-maintained, performance is good and, most importantly, it's much safer than C.

However, in the future, I hope we'll get languages with much better compile-time guarantees. The Cyclone language employs region-based memory management and fat pointers to achieve memory safety. It also extended C in various other interesting ways (ADTs, generics and more). Unfortunately it didn't catch on and seems to be unmaintained these days. Then there's Rust, which also employs region types to manage resources. It's not yet ready for production as it's still rapidly changing, but I see a huge potential there, also because there's Mozilla behind it. There is also ATS, which features an extremely powerful type system based on linear and dependent types. It too is under heavy development. I don't see as much potential here as it's quite complicated and developed at a university (so it may well die once there are no more papers to be published), but I mention it because the type system can prove the absence of bounds violations at compile time.

yet another proof...

Posted Apr 8, 2014 23:36 UTC (Tue) by HelloWorld (guest, #56129) [Link] (29 responses)

I forgot to mention D, which shares with Ada the properties that I listed above. In addition to that it's probably more friendly to C programmers syntax-wise.

yet another proof...

Posted Apr 11, 2014 7:01 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (2 responses)

I've been playing with some D recently and am a heavy C/C++ developer, so maybe I have some insight others may find useful here. What D has over C++ is a vastly more consistent syntax (e.g., static if rather than #if, template parameters, etc.), and that variadic template parameters can be iterated over (done at compile-time), making things like tuples much easier to manipulate and work with in generic code. No more SFINAE, spurious 'template' keyword requirements, compiler idiosyncrasies, and more. Unfortunately, I don't think it goes far enough (or was 5 years too late) and you still have pointers, the language has breaking changes still, some of the standard library has been slated for replacement for years with nothing new in sight (AFAIK), the compiler warnings are poor (nested templates seem to be dropped from messages and they have message elision for 'brevity' which requires -v and that dumps out other information too, limited "why this file is included"/"why this instance is instantiated" tracking, no "unused specialization" warning telling you you're calling things wrong, and more).

Overall, D is nice, but too little, too late now that Rust is on the horizon. IMO, of course.

yet another proof...

Posted Apr 11, 2014 16:03 UTC (Fri) by moltonel (subscriber, #45207) [Link] (1 responses)

> Overall, D is nice, but too little, too late now that Rust is on the horizon. IMO, of course.

You could argue about D being too little compared to Rust (they're quite different though, so I find it hard to compare like this), but D is *11 years older* than Rust. Saying that it has come too late is quite unfair.

While Rust is "on the horizon", D has been production-ready for a long time. It's strange and sad that D didn't pick up a stronger following (there's probably a negative feedback loop in there somewhere). Maybe they'll sudenly and unexpectedly become popular (like Erlang did), but the "better c++" language space has become quite crowded lately.

yet another proof...

Posted Apr 11, 2014 17:36 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

If it had come up in the mid-90's rather than the late 90's (before the STL, basically), it might have been picked up *then*. Now, we're seeing Facebook and other companies *finally* picking up D where, if you were transitioning languages, I would just go with Rust at this point since you get more anyways.

I wouldn't call D production-ready "for some time". I have D code from 2005 which does not compile with any modern compiler (including syntax changes[1]). There are still apparently breaking changes on the horizon and the standard library (as mentioned before) has parts deprecated for something like 5 years (c.f. std.xml) with no replacement yet.

[1]https://github.com/mathstuf/abagames-gunroar/commit/cc1f5...

yet another proof...

Posted Apr 11, 2014 16:52 UTC (Fri) by dashesy (guest, #74652) [Link] (25 responses)

Since nobody else mentioned it, what about Pascal?
It is a descendant of Ada, I remember in my highschool I used i a lot, and it is very similar to C to be a good C-substitute.

yet another proof...

Posted Apr 11, 2014 17:58 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

Anyone who teaches Pascal should be summarily executed.

yet another proof...

Posted Apr 11, 2014 18:55 UTC (Fri) by raven667 (subscriber, #5198) [Link] (2 responses)

I always appreciate your considered, nuanced approach to problem solving. 8-)

yet another proof...

Posted Apr 11, 2014 19:01 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Well, the world would be better is everyone followed the same approach! For one thing, there wouldn't be any humans on Earth.

But seriously, Pascal is simply way too clumsy. And it still has all the problems of C, because it supports the same unrestricted pointer arithmetic.

It's somewhat mitigated by the fact that pointers are extra-clumsy in Pascal, so only rare students (never mind teachers) ever use them.

yet another proof...

Posted Apr 11, 2014 20:22 UTC (Fri) by khim (subscriber, #9252) [Link]

But seriously, Pascal is simply way too clumsy. And it still has all the problems of C, because it supports the same unrestricted pointer arithmetic.

I think you are mixing Pascal with Turbo Pascal or something. ISO Pascal does not support “unrestricted pointer arithmetic”. And Turbo Pascal only started supporting it in version 7 to better interoperate with Windows's C API.

yet another proof...

Posted Apr 11, 2014 18:17 UTC (Fri) by bronson (subscriber, #4806) [Link] (2 responses)

Pascal perfectly illustrates the difference between theory and practice.

In theory Pascal is a great language. Short example programs can be beautiful. Real-world programs, though, tend to be a mess of assembly blocks, chr/ord, secret compiler calls, weird modes, and other contortions required for when Pascal's oversimplified environment falls short.

I do miss := and ^ though. Much saner than = and *.

yet another proof...

Posted Apr 11, 2014 18:44 UTC (Fri) by halla (subscriber, #14185) [Link]

I don't know whether it was because of the Pascal language or because of the teacher -- Karel Jongeling, who taught Celtic, Punic and morphological analysis using Pascal at Leyden University -- but I did take one really important thing with me from that course: the really basic fact of memory not having any structure, it being one byte after another, and the use of pointers to access those bytes.

I still have to teach that to nearly all my Summer of Code students.

(My morphological analyzer was quite perfect, too. It recognized all the various conjugations and declensions of Classical Chinese, without fail. I guess my classmate who was doing Gothic had it harder, though.)

yet another proof...

Posted Apr 11, 2014 18:57 UTC (Fri) by raven667 (subscriber, #5198) [Link]

Is that also true for Borland TurboPascal and Delphi environments or just reference designs used for teaching?

yet another proof...

Posted Apr 11, 2014 19:09 UTC (Fri) by madscientist (subscriber, #16861) [Link] (5 responses)

Hm. Are you poking at us? :-)

I mean, almost everything in this message is incorrect: Pascal is _not_ descended from Ada (Pascal predates Ada by 10 years or more, depending on how you count), its syntax is not at all C-like, and it's not "a good C-substitute" (OK I guess that's a bit subjective... but only a bit).

I can't argue that you didn't use it in high school, though :-).

yet another proof...

Posted Apr 11, 2014 19:13 UTC (Fri) by dashesy (guest, #74652) [Link] (4 responses)

Eh, too long after PLC course I guess, I got it backwards. For being a good C-substitue, I remember we could `#define BEGIN {` and write a semi-pascal in C.

yet another proof...

Posted Apr 11, 2014 19:42 UTC (Fri) by madscientist (subscriber, #16861) [Link] (3 responses)

Oh my. I actually worked with someone who did that. For real code he was being paid to write. And thought it was a good idea!!

Basically the preprocessor can allow you to make C "look a bit like" lots of languages... but oh the humanity! I will only say that related to the subject of this thread, which is _reducing_ security flaws in software, abusing the preprocessor like this cannot be considered a step forward.

yet another proof...

Posted Apr 11, 2014 20:04 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

The original Bourne shell was written in this way and inspired the IOCC. Check it: http://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/src/c...

yet another proof...

Posted Apr 11, 2014 20:53 UTC (Fri) by viro (subscriber, #7872) [Link]

It's not even just the preprocessor sucking; it degrades security in much nastier way. Such Bournegol-like "dialects" make damn sure that the pool of potential reviewers will be both lessened *and* skewed towards the set of people who are already used to the codebase in question. And the second part is just as bad - the really ugly problem is that people develop blind spots where a glaring bug might hide for long time. Somebody who hadn't spent months reading the code in question stands much better chance to notice those immediately. Make code more idiosyncratic and you are making it harder on the most efficient reviewers.

yet another proof...

Posted Apr 15, 2014 12:47 UTC (Tue) by palmer_eldritch (guest, #95160) [Link]

If you're really crazy, you can also use the C preprocessor on other languages source code to make them look more like C.

yet another proof...

Posted Apr 11, 2014 19:20 UTC (Fri) by viro (subscriber, #7872) [Link] (11 responses)

Good sodding grief...

a) Pascal has been introduced 13 years prior to Ada
b) its type system is piss-poor (less expressive than C one, which takes some doing; no pointers to functions, for one thing)
c) as published, it's not suitable for anything bigger than a toy project. There's a reason why everyone (including Wirth) ended up with their (mutually incompatible) set of extensions providing something module-like.
d) all things IO-related are either very weak _or_ non-standard and mutually incompatible in different versions. And it's not about a library - they are language elements (file of <...> being a part of type system, for starters)

and I'm not going into the syntax, er, deficiencies - that way lies a very old and tired flamewar.

As for "raising awareness"... Generally, it's a cheap way to feel that one is Doing Something About The Problem, without actually doing any work. In this case... Feel free to write something generally useful in $LANGUAGE_OF_CHOICE, if it works well enough, you might be able to convince people that said language is worth considering. Nothing short of that has a chance.

yet another proof...

Posted Apr 11, 2014 20:01 UTC (Fri) by HelloWorld (guest, #56129) [Link]

> As for "raising awareness"... Generally, it's a cheap way to feel that one is Doing Something About The Problem, without actually doing any work. In this case... Feel free to write something generally useful in $LANGUAGE_OF_CHOICE, if it works well enough, you might be able to convince people that said language is worth considering. Nothing short of that has a chance.
That's like saying that the only way to teach people to read and write is to write books.

yet another proof...

Posted Apr 11, 2014 21:17 UTC (Fri) by viro (subscriber, #7872) [Link] (9 responses)

Not quite the same, but actually if there's no literature worth reading in the language in question, you'd damn better start writing some... This is even more serious, though - you are talking about convincing people to *write* in a language. And for that you'd damn better be able to show something good already written in it.

Seriously, there's only one way to become literate - read a lot. And for that there should be something *to* read.

C wouldn't be where it is without the things like Lions' Book; that's what started that huge pile of C code, not advocacy and "raising awareness"... "$FOO is really neat; everyone should start writing in it. No, I'm not doing that myself and I can't point to well-written active projects in $FOO, but You! All! Must! Be! Aware! Of! Its! Greatness!!!1!!!1!!!!" doesn't cut it.

yet another proof...

Posted Apr 11, 2014 23:34 UTC (Fri) by HelloWorld (guest, #56129) [Link] (8 responses)

> And for that you'd damn better be able to show something good already written in it.
Well, most serious programming languages are self-hosting. Rust is, and so are DMD and GNAT, everybody can look at those and their standard libraries. That should easily be enough to judge whether one is interested in using a language. In fact I only need to look at the prototypes for qsort and signal in C to judge it – it's not safe, it's not convenient, the syntax is fubar – thanks, but no thanks. Not acceptable in 2014.

yet another proof...

Posted Apr 11, 2014 23:45 UTC (Fri) by dlang (guest, #313) [Link] (3 responses)

> Well, most serious programming languages are self-hosting.

it depends on what you mean by self-hosting

the vast majority of programming languages depend on a compiler or interpreter written in C or C++.

for interpreted languages, self-hosting is an oximoron, something has to run the lowest level of interpreter.

yet another proof...

Posted Apr 12, 2014 0:48 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

PyPy is self-hosting...

yet another proof...

Posted Apr 12, 2014 1:06 UTC (Sat) by dlang (guest, #313) [Link] (1 responses)

I knew this would come up, which is why I made the comment about the lowest level interpreter

pypy has a compiler in it somewhere since it distributes binaries. So the lowest level interpreter is compiled, not interpreted.

yet another proof...

Posted Apr 12, 2014 1:24 UTC (Sat) by pizza (subscriber, #46) [Link]

> I knew this would come up, which is why I made the comment about the lowest level interpreter.

FWIW, the closest I've seen to a truly self-hosted interpreted language is the Smalltalk VM as distributed as part of Squeak.

The VM itself is defined and written in native Smalltalk, but it is actually translated into C (again via native Smalltalk), which is then compiled by the system C compiler. Naturally, there's still plenty of "native" C for OS interfacing above and beyond the pure VM components (for piddling things like graphics, sound, network access, and input).

yet another proof...

Posted Apr 12, 2014 1:27 UTC (Sat) by viro (subscriber, #7872) [Link] (3 responses)

Right, because so many potential users of the language are willing to read through the compiler guts. Doesn't require any special background. Or strong stomach, for that matter...

If gcc (or pcc, for that matter) had been the only available examples of C, your dream of C-free world would've come true years ago. And if self-hosting implementation had been enough, Modula 3 would've flourished. As it is, it just about got *killed* by being self-hosted. Remember what it used to take to bootstrap it? In practical terms, there had been 1 (one) application - cvsup. Look at its story someday - sad and very instructive. m3 was pretty much "that weird PITA build-dep cvsup has", with pain eventually getting so bad that cvsup got rewritten in C. AFAICS, they (FreeBSD folks) have added lang/modula3 port again this year; amd64-only, due to bootstrap being bloody painful. Wonder how long does it last this time around...

There had been arseloads of self-hosting languages. And that's not enough. Compilers and RTL do _not_ make easy reading, it's a fairly specific niche and using them to estimate the suitability of language for other work is not a good plan. Whether that's good, bad or just plain unfair, It Does Not Work In Real Life(tm).

So if you don't have anything other than GNAT to point to, I'd estimate your odds of convincing people to use Ada as rather poor. If you want to improve those, coming up with a useful project written in the language in question might do the trick. And if there isn't enough people willing to do that, I very much doubt that rehashing "why I hate C" $BIGNUM times will change the situation. USENET used to be full of that and it hadn't done the trick in all those decades...

yet another proof...

Posted Apr 12, 2014 13:06 UTC (Sat) by HelloWorld (guest, #56129) [Link] (2 responses)

> Right, because so many potential users of the language are willing to read through the compiler guts.
Yeah, and so many people are willing to read through the UNIX kernel guts. Oh wait, that requires just as strong a stomach!

> Remember what it used to take to bootstrap it? In practical terms, there had been 1 (one) application - cvsup. Look at its story someday - sad and very instructive. m3 was pretty much "that weird PITA build-dep cvsup has",
Nobody builds stuff like cvsup on their own, that's what distros are for. Yes, maybe you do. I don't care, the vast majority doesn't.

> There had been arseloads of self-hosting languages. And that's not enough. Compilers and RTL do _not_ make easy reading, it's a fairly specific niche and using them to estimate the suitability of language for other work is not a good plan. Whether that's good, bad or just plain unfair, It Does Not Work In Real Life(tm).
That applies to pretty much every project out there. The thing is, reading other people's code to learn a language doesn't work at all, ever. It's probably outside of your area of expertise, and then you see that code is written in some way, but you don't see *why* it's written that way. Moreover, most code simply sucks, and you're more likely to learn bad things rather than good things by reading some random project's code. The way to learn about a language is to *write* in it and then read up on how things might be done better. Look at library APIs and documentation (especially standard library, as that's supposed to be written by people who know what they're doing) – the implementation is often not helpful at all.

Anyway, our opinions clearly differ on this one, so I'll leave it at that.

yet another proof...

Posted Apr 12, 2014 14:39 UTC (Sat) by mpr22 (subscriber, #60784) [Link]

The thing is, reading other people's code to learn a language doesn't work at all, ever.

Reading someone else's code pursuant to modifying it, however, works quite nicely. I mean, the backbone of my successful attempt to learn C was "modify Nethack".

yet another proof...

Posted Apr 13, 2014 12:46 UTC (Sun) by Lennie (subscriber, #49641) [Link]

Yes, you learn by doing. But:

"then read up on how things might be done better."

Reading other people's code is how you read up on how things might be done better.

You see how Apache project uses/build/designed APR.
You see how Postfix works with memory (and has an architecture with multiple programs).

yet another proof...

Posted Apr 10, 2014 12:59 UTC (Thu) by cmccabe (guest, #60281) [Link] (7 responses)

I like Golang. It's gotten pretty popular recently.

Fun discussion here:
https://groups.google.com/forum/#!topic/Golang-Nuts/0za-R...

JT Olds asks: "Why did Go implement its own SSL library? I've scanned the list and the website and I might have missed a design doc somewhere, but as far as I can tell I can't find any motivational reason for why Go implemented its own SSL library."

agl responds: "Have you seen the OpenSSL code? I do, indeed, work with it a lot and it doesn't exactly fill one with positive feelings. NSS has a different set of issues. (I'm not familiar with alternatives like Polar or GnuTLS.)"

Personally, I think a C implementation could be made secure. As I commented earlier, using valgrind would have caught this problem right away. But while we're mentioning languages, why not mention one that's viable?

yet another proof...

Posted Apr 10, 2014 19:18 UTC (Thu) by HelloWorld (guest, #56129) [Link] (5 responses)

> I like Golang.
I don't. But putting that aside for the moment, it's objectively not a suitable language to write this kind of libraries in. You want such libraries to be usable from many languages, otherwise every language community will end up implementing their own, making everything worse. But Go doesn't support dynamic linking and it requires a garbage collector, which interacts poorly if the language you want to call the library from also has one.

yet another proof...

Posted Apr 11, 2014 4:50 UTC (Fri) by nevyn (guest, #33129) [Link] (2 responses)

> You want such libraries to be usable from many languages

If that is a requirement then C is the only option, even if it's possible 99.99% of programers will only use code from their language or C (if it seems too complicated to not reimplement a hack version in their language).

yet another proof...

Posted Apr 11, 2014 12:29 UTC (Fri) by HelloWorld (guest, #56129) [Link] (1 responses)

> If that is a requirement then C is the only option
No, you only need a language that supports the C ABI. Various languages do that, Ada being one example.

yet another proof...

Posted Apr 11, 2014 15:53 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

Indeed. Even Haskell supports the C ABI via its FFI layer; you can both call C functions and export functions callable from C code, using native C types. You do have to initialize the Haskell runtime first, but in a shared library that can done from an _init() function. Compatibility with C, and thus most other languages with C bindings, is not a major stumbling block.

yet another proof...

Posted Apr 11, 2014 9:07 UTC (Fri) by cmccabe (guest, #60281) [Link] (1 responses)

You know, it's kind of silly to advocate rewriting things in higher level languages, and then get upset when someone rewrites something in a higher level language. Sometimes, I think I smell a troll.

Personally, I think having multiple SSL implementations in higher level languages would be a good thing, provided the implementers were reasonably competent, and they were well-reviewed. There are always going to be language communities who don't have this option, either because their runtime is too slow, or because they don't have crypto talent on hand. Those guys can wrap C libraries, and that's ok too.

Loadable module support has been added to Go, although it's not clear which stable release it will land in yet.
https://codereview.appspot.com/9738047

yet another proof...

Posted Apr 11, 2014 12:16 UTC (Fri) by HelloWorld (guest, #56129) [Link]

> You know, it's kind of silly to advocate rewriting things in higher level languages, and then get upset when someone rewrites something in a higher level language
I didn't get upset, I merely pointed out objective weaknesses that make the implementation of libraries that are supposed to be used from languages other than Go harder. It's great for the Go folks that they at least have a safer SSL library to rely upon. I'd just like things to be even better: the rest of the world shouldn't be forced to use OpenSSL either.

yet another proof...

Posted Apr 12, 2014 15:24 UTC (Sat) by intgr (subscriber, #39733) [Link]

> using valgrind would have caught this problem right away.

Valgrind is great, but in this case I can't see how it would help. Valgrind only detects bad memory access when these bad accesses actually take place. With a properly-formed heartbeat message, Valgrind wouldn't thinkg anything is wrong.

So, you'd really have to observe an attacker exploit the bug while the program is running under Valgrind, which seems pretty damn unlikely.

yet another proof...

Posted Apr 10, 2014 10:22 UTC (Thu) by chojrak11 (guest, #52056) [Link] (1 responses)

The problem here is the most stupid string manipulation library on earth being the foundation for the most widely used programming language. Come on, let's admit that many security-related bugs in the wild, and many performance regressions are thanks to string library in C.

The reason that qmail and other Bernstein's software is so resistant to buffer overflows and similar bugs, and that it is so fast, is mostly just because he designed his own small, simple, secure, auditable, binary safe high performance string library (stralloc, for the record, http://cr.yp.to/lib/stralloc.html).

When will we have an alternative string library standardized by ANSI/ISO, to replace this current 45 years old monster? Let there be two of them in C library, one modern, and one deprecated, but come on, what we have now it's hell on earth.

yet another proof...

Posted Apr 10, 2014 13:16 UTC (Thu) by HelloWorld (guest, #56129) [Link]

That's one problem, yes. But it's far from the only one, and C has so many of them that it's essentially impossible to fix it without massive changes to the language. What needs to be done is not fix C, but educate potential users so they refrain from using it and pick something else.

yet another proof...

Posted Apr 8, 2014 13:19 UTC (Tue) by Seegras (guest, #20463) [Link] (1 responses)

> ... that secure software cannot be written in C, period. It's time that
> people grok that and stop using it.

Can. But it might be difficult. However, the corollary to your statement is of course:

... and neither can in any other language.

Ob-corollary:

.. We should all stop writing software.

yet another proof...

Posted Apr 8, 2014 18:29 UTC (Tue) by jspaleta (subscriber, #50639) [Link]

Yes... we should all just stop writing code. I'll drink to that.

yet another proof...

Posted Apr 8, 2014 13:46 UTC (Tue) by sorokin (guest, #88478) [Link] (67 responses)

What happens if similar error (access past the end of array) occurs in program written on "safe" language? I presume something like exception will be thrown.

What is the guarantee that throwing exception doesn't break the invariant of the program? I would say that invariant will be broken very likely if program is not written with exception safety in mind. And truth to be told writing exception safe code is much much harder (sic!) that writing a code that doesn't accesses arrays at wrong index. If programmer can not cope with the latter, he definitely can not cope with the former.

It is very easy to say "oh, accessing past the end of array is very bad, let's throw an exception is that case". What is difficult is to see that this doesn't make incorrect program correct. Much worse it makes automated testing technics like fuzzing under valgrind impossible.

yet another proof...

Posted Apr 8, 2014 14:29 UTC (Tue) by HelloWorld (guest, #56129) [Link] (66 responses)

> What happens if similar error (access past the end of array) occurs in program written on "safe" language? I presume something like exception will be thrown.
>
> What is the guarantee that throwing exception doesn't break the invariant of the program? I would say that invariant will be broken very likely if program is not written with exception safety in mind. And truth to be told writing exception safe code is much much harder (sic!) that writing a code that doesn't accesses arrays at wrong index. If programmer can not cope with the latter, he definitely can not cope with the former.
Accessing an array out of bounds is *guaranteed* to be a bug, and your argument is that we shouldn't check for that because the result of checking *might* also result in a bug? That's insane. Besides, aborting the program is a perfectly viable alternative to throwing an exception.

> It is very easy to say "oh, accessing past the end of array is very bad, let's throw an exception is that case". What is difficult is to see that this doesn't make incorrect program correct.
Nonsense, everybody sane knows that an out-of-bounds access is a bug that must be fixed. Bounds checking is a mitigation technique.

> Much worse it makes automated testing technics like fuzzing under valgrind impossible.
The default behaviour for exceptions is to abort the program. Sure, you can have broken catch blocks that swallow that kind of errors, but you have to go out of your way to do it and there's tools to verify that that never happens. Otoh, valgrind doesn't catch all errors and is slow to the point where many programs are unusable and thus untestable with it.

yet another proof...

Posted Apr 8, 2014 16:58 UTC (Tue) by sorokin (guest, #88478) [Link] (54 responses)

> Accessing an array out of bounds is *guaranteed* to be a bug, and your argument is that we shouldn't check for that because
> the result of checking *might* also result in a bug? That's insane.

This is not insane because:

1. Checking is not free (in terms of runtime performance)
2. Checking works only for very simple programs, almost in every large program throwing an unintended exception may results in invariant broken
3. Checking hinders debuggability (as I mentioned already)

> Besides, aborting the program is a perfectly viable alternative to throwing an exception.

Then you will get DOS instead of information leak. The error is still here.

> The default behaviour for exceptions is to abort the program. Sure, you can have broken catch blocks that swallow that kind of errors, but you have
> to go out of your way to do it and there's tools to verify that that never happens.

No, you don't get the point. It is possible that exception breaks program state and then the exception will be caught (somewhere near main loop). The program state remains broken and after that the program won't work correctly.

What is I write the code (in "safe" language, with GC, managed memory, etc):

class foo
{
foo(model m)
{
m.subscribe(this);
do_some_work(); // (1)
}

void close()
{
m.unsubscribe(this);
}
};

What if function in line (1) throws a exception? The newly created object of class foo will remains subscribed to model m. If model has lifetime longer than object of class foo, we will get a memory leak. Formally this is not a memory leak as the our object will be freed when the model dies, but when model lives for a long time and objects of class foo can be created many times this leads to same effects as memory leak. Also as number of objects foo grows this will slowdown handling events from model. So this effectively leads to DOS.

This is just one example. There are others. My favorite is 100% CPU utilization when some computation throws an exception. The code that invoked this computation didn't marked it as finished and that is why this computation was repeated again and again and again.

So thinking that if you throws a exception your program will continue to work as expected is just completely wrong.

yet another proof...

Posted Apr 8, 2014 17:48 UTC (Tue) by raven667 (subscriber, #5198) [Link] (10 responses)

> Then you will get DOS instead of information leak. The error is still here.

Isn't that an objectively superior result?

> So thinking that if you throws a exception your program will continue to work as expected is just completely wrong.

No one is thinking that so your assumption is invalid. A program which has a critical failure should abort, not try and keep running, badly, by ignoring when it's internal state is no longer valid. Don't catch exceptions that you can't handle, better a DoS than silently bungling your data.

yet another proof...

Posted Apr 9, 2014 12:18 UTC (Wed) by sorokin (guest, #88478) [Link] (9 responses)

> Isn't that an objectively superior result?

Yes, DOS is a bit better than information leak, but we doesn't get this for free.

The question is whether the benefits outweigh the costs.

yet another proof...

Posted Apr 10, 2014 19:06 UTC (Thu) by deepfire (guest, #26138) [Link] (1 responses)

You do not admin any servers, man. Otherwise you'd _feel_ the pain all we have to go though now. Basically, we _must_ assume that everything we run currently is compromised.

yet another proof...

Posted Apr 10, 2014 19:24 UTC (Thu) by jspaleta (subscriber, #50639) [Link]

I've just been running everything for years already under the assumption it was compromised in a way that I could not detect. Make it a lot easier when someone figures out that it actually is.. no panic... just a deep resigned sadness that lingers after a single moment of elation of knowing that I'm not actually paranoid and the world really has been out to get me all along.

-jef

yet another proof...

Posted Apr 11, 2014 23:29 UTC (Fri) by nix (subscriber, #2304) [Link] (6 responses)

A DOS is not always better than an information leak. In, say, accounting software, or security software, sure -- but in safety-critical software? If the choice is between an information leak and a DOS, I want the software that runs jet aircraft to leak, dammit. I want the software that controls the radiation in a radiotherapy scenario to keep going and turn the radiation off at the expected time, rather than throwing an exception and forgetting.

There are *lots* of scenarios in which you would rather that software keep working and not stop, even if it's leaking information to or even entirely under the control of an attacker. (Operating under the assumption here that your average attacker is unlikely to be a murderer and thus will not do things that will kill people even if he controls the system in question. He'll probably just be spamming with it...)

yet another proof...

Posted Apr 12, 2014 12:44 UTC (Sat) by HelloWorld (guest, #56129) [Link] (5 responses)

If you access an array out of bounds, your program state is broken. Keeping the program running in the hope it'll do something sensible is madness, what needs to be done is to restart the program.

yet another proof...

Posted Apr 16, 2014 16:50 UTC (Wed) by nix (subscriber, #2304) [Link] (4 responses)

I gave specific examples of programs for which you would very much *not* want it to restart, crash, or die, no matter what the provocation: staggering on is always preferable.

You think that restarting the program is a good idea if the program is controlling a jet airliner, or a radiotherapy system? In that case, I very much hope you never get anywhere near any safety-critical systems. You are too purist to be safe.

yet another proof...

Posted Apr 16, 2014 21:11 UTC (Wed) by HelloWorld (guest, #56129) [Link]

> staggering on is always preferable.
No. Once your program is in a broken state, you have no reason to believe that it'll do anything sensible. Sticking with your example of a radiotherapy system, you have no reason to believe that it's *not* going to go Therac-25.

> You think that restarting the program is a good idea if the program is controlling a jet airliner, or a radiotherapy system?
Yes. A program that controls this kind of system must be able to restart and recover after a crash, because that's the only sane option once you know your internal program state is broken. If you don't understand that, I very much hope you never get anywhere near any safety-critical systems.

yet another proof...

Posted Apr 16, 2014 22:07 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

> You think that restarting the program is a good idea if the program is controlling a jet airliner, or a radiotherapy system?
Radiotherapy? Really? It's a poster child of systems that should fail and turn off as soon as possible if anything goes wrong. Just look at the infamous Therac-25.

As for airplanes (also spacecraft) - they are specifically designed to stop the misbehaving systems as soon as possible, often with the help of hardware watchdogs and multiply-redundant systems.

Even the main systems responsible for crucial tasks like communication (on spacecraft) or steering (on fly-by-wire airplanes) have a specially designed fail-safe mode that allows only very basic functionality and simply can't fail.

yet another proof...

Posted Apr 20, 2014 18:51 UTC (Sun) by nix (subscriber, #2304) [Link] (1 responses)

Turn off, yes. But if the thing just stops dead and terminates, leaving the system in the exact state it was at that point (with the radiation beam active!) you'd be in a very bad situation.

You have to, somehow, catch the exception (quite possibly, in the case of the radiation beam, via a dedicated hardware cutout, though that wouldn't work for the aircraft case) and do something (turn the beam off) to return the system to a safe state.

yet another proof...

Posted Apr 20, 2014 19:43 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

That's why if you are designing a reliable system then you have to make it failsafe. I.e. its failure must be safe. You do NOT paper over failure and hope it works. In case of radiation therapy software system must arm a hardware timer for the beam, not turn its on/off switch.

Just trying to paper over violated invariants ultimately results in death and destruction.

yet another proof...

Posted Apr 8, 2014 21:36 UTC (Tue) by HelloWorld (guest, #56129) [Link] (41 responses)

> 1. Checking is not free (in terms of runtime performance)
Intel is working on instruction set extensions for bounds checking (MPX). Historically, the performance hit for protected memory was overcome through hardware support, thus it's completely backward to argue against bounds checking for performance reasons.
Even if that weren't the case, most code isn't performance sensitive and many checks can be optimised away. Given that, it very much is insane to still insist that we can't afford bounds checking for performance reasons.
The sane way to do it is to default to safety and remove checks where it's unavoidable to get sufficient performance (for example by using an “unsafe” block in languages that support it, such as C#, or by rewriting a small part of the program in an unsafe language).

> 2. Checking works only for very simple programs, almost in every large program throwing an unintended exception may results in invariant broken
The moment you're violating the bounds of an array you've already broken an invariant, the question is what to do about it. What you're saying here is that we shouldn't check array bounds because we *might* do something stupid in response when we *know* we'll do stuff that results in information leaks and code execution bugs if we don't. Talk about sticking your head in the sand!

> 3. Checking hinders debuggability (as I mentioned already)
If you simply abort the program, you improve debuggability because every out-of-bounds access is caught immediately. Without bounds checking, the error might manifest itself long after it happened and all the information about how it came to be may well be long gone – this kind of thing is a nightmare to debug. Valgrind is, as I mentioned already, hideously slow (unlike the performance implications of array bounds checking this is a problem in the real world, because you want your test suite to run fast) and there are trivial mistakes it doesn't catch, e. g. int i[10], j[10]; j[15] = 42;.

Now if you throw exceptions instead of aborting, you might catch an out-of-bounds exception and do something stupid with it. But fixing that is a matter of tooling. In Java, it's trivial to run your program in a debugger and trap every time an ArrayIndexOutOfBoundsException is thrown, no matter if it's caught or not.

Saying that bounds checking hinders debuggability is thus plain nonsense. Whether exceptions do is open for debate, but that's not the issue here.

> Then you will get DOS instead of information leak. The error is still here.
What part of this did you not understand: “everybody sane knows that an out-of-bounds access is a bug that must be fixed. Bounds checking is a mitigation technique.”

> No, you don't get the point.
I do, *you* don't get it. When you access an array out of bounds, you've *already* violated a fundamental invariant, and if you keep running, you'll only make matters worse. Yet that's what you're arguing for.

> So thinking that if you throws a exception your program will continue to work as expected is just completely wrong.
Stop those straw man arguments, I never said anything like that and you know it.

yet another proof...

Posted Apr 9, 2014 12:11 UTC (Wed) by sorokin (guest, #88478) [Link] (40 responses)

> Historically, the performance hit for protected memory was overcome through hardware
> support, thus it's completely backward to argue against bounds checking for performance
> reasons.

If bound checking is free I agree that having it enabled is a good thing. But the way it is currently implemented it is not. And I still want to stress that bound checking doesn't make incorrect program correct and this can only be used as a mitigation technique.

> Even if that weren't the case, most code isn't performance sensitive...
> The sane way to do it is to default to safety and remove checks where it's unavoidable to get sufficient performance (for example by using
> an “unsafe” block in languages that support it, such as C#, or by rewriting a small part of the program in an unsafe language).

This is the case when your program has bottlenecks. But often program has no an obvious bottleneck. One example is program I'm currently working on. Lots of efforts was put into performance optimization. On almost every workload the profile of this program is completely flat. No meaningful functions takes more than 3%. Even is we completely optimize away one specific part we gain only 3% of performance. We know that computational complexity of our algorithms is optimal. But the code is still working slower than we want. And truth to be told I was happy to disable some checks to speedup program for 3%, because manual optimization became very hard.

There is no small part to rewrite in unsafe language. Or should we rewrite all 5 Mb of code according to your suggestion?

If you going to say that our program is an exception, take a clang as another example. Which part of the compiler would you write on "safe" code and which on "unsafe"? Preprocessor? Parser? AST? Code generation?

> ...and many checks can be optimised away.

I saw an example where replacing array of char to std::string (from MSVC) results in 4x performance degradation. The problem was that std::string::operator[] (which doesn't do bound checking) choose which buffer to use based on size of the string using a single "if". This "if" enlarge size of a operator[] function and inliner (MSVC) decided not to inline it. On the other hand access to array of char was nicely merged into enclosing code. The program was an implementation of one of string-based algorithm so the effect was disastrous. The fix was to get the iterator from string before doing a computation, so this "if" is performed only once and operator* on iterator can be nicely inlined.

> In Java, it's trivial to run your program in a debugger and trap every time an ArrayIndexOutOfBoundsException is thrown, no matter if it's caught or not.

Only in case when none of libraries you use throw and catch this exception as a part of its standard workflow. Do you know how many components in large programs (like Visual Studio) throws random exceptions? I can cleanup exception in code that belong to me (and an exception in our part of code always indicates error in code), but I can not do this to the whole program. If I trap on every exception I will be unable to debug at all.

> The moment you're violating the bounds of an array you've already broken an invariant, the question is what to do about it. What you're saying here is that we shouldn't
> check array bounds because we *might* do something stupid in response when we *know* we'll do stuff that results in information leaks and code execution bugs if we don't.

So you want to get a chance (sic!) that sometimes your program continue to work in case of out-of-bound. In exchange you want to give up the performance of your program. I hope you know that writing fast code is much harder than writing a correct code.

yet another proof...

Posted Apr 9, 2014 13:21 UTC (Wed) by HelloWorld (guest, #56129) [Link] (26 responses)

It's been 40 years since “premature optimization is the root of all evil”. Saying that we can't afford bounds checking on today's machines is ridiculous, period.

As for your other argument (Exceptions might be caught and something stupid be done with it), that too is ridiculous. Firstly that's not an argument against bounds checking but against exceptions, and secondly, those are corner cases that don't apply in the vast majority of cases and when in doubt can be fixed through tooling. And then you say that valgrind is better, even though it's so slow that most programs are unusable when running under it (and you want your test suite to run fast, because otherwise people *will* stop running it) and it cannot detect an obvious mistake in a 3-line program.

Sorry, dude, this discussion is over.

yet another proof...

Posted Apr 9, 2014 15:25 UTC (Wed) by sorokin (guest, #88478) [Link]

> It's been 40 years since “premature optimization is the root of all evil”. Saying that we can't afford bounds checking on today's machines is ridiculous, period.

Cost of bound checking is relative, it is not absolute. If all your program does is accessing an array. The performance impact is huge.

> As for your other argument (Exceptions might be caught and something stupid be done with it), that too is ridiculous.

Google "exception safety" and understand how many pitfalls there are when you are trying to write something as simple as std::vector<> in exception safe way. Now imagine what happens with a large program.

> And then you say that valgrind is better, even though it's so slow that most programs are unusable when running under it (and you want your test suite to run
> fast, because otherwise people *will* stop running it)

Have you ever heard about difference between "debug" and "release" build? If you do you know that performance is slightly less important for debug build than for release build.

> and it cannot detect an obvious mistake in a 3-line program.

You know, we have -fxxx-sanitizers too.

I don't know want kind of program you are working on. If you write a programs that make a query to DB and show a result, surely a disabled bound checking is not a huge win for you. But not all programs are written this way.

yet another proof...

Posted Apr 9, 2014 16:52 UTC (Wed) by khim (subscriber, #9252) [Link] (24 responses)

It's been 40 years since “premature optimization is the root of all evil”.

Indeed. And for most of that time pundits used that piece ripped out of context to discuss their crazy ideas.

Let me remind about the context. Two quotes from the same guy will suffice:

We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil.

In established engineering disciplines a 12% improvement, easily obtained, is never considered marginal and I believe the same viewpoint should prevail in software engineering

Now, armed with these two quotes we can go back.

Saying that we can't afford bounds checking on today's machines is ridiculous, period.

Indeed. Where bounds-checking is hardware-assisted (think kernel/userspace bounds) it's very cheap. Where it's done on the individual array level it's usually slowdown of 15% or more and thus is not some one must do.

And then you say that valgrind is better, even though it's so slow that most programs are unusable when running under it (and you want your test suite to run fast, because otherwise people *will* stop running it) and it cannot detect an obvious mistake in a 3-line program.

Indeed. That's why there are ASAN, MSAN, etc.

Sorry, dude, this discussion is over.

So very true. C is back to #1 both on langpop and TIOBE. Apparently people have tried “silver bullets” (like C# and/or Java) for long enough to understand that they don't work and now are going back to do a honest work.

yet another proof...

Posted Apr 9, 2014 19:21 UTC (Wed) by HelloWorld (guest, #56129) [Link] (23 responses)

> In established engineering disciplines a 12% improvement, easily obtained, is never considered marginal and I believe the same viewpoint should prevail in software engineering
That's like saying that we should remove oxygen masks, the black box, safety belts and the redundant engine from our airplanes because then we might cram in 12 % more passengers.

> Indeed. That's why there are ASAN, MSAN, etc.
Guess what those do: they add bounds checking to your C compiler, because that makes it easier to debug! Thanks for proving my point. Yeah well, except that they don't really work right yet and aren't as efficient as they could be, had the language been designed with that in mind.

> So very true. C is back to #1 both on langpop and TIOBE.
Yeah, like those mean anything.

> Apparently people have tried “silver bullets”
You guys really like straw men, don't you?

yet another proof...

Posted Apr 9, 2014 20:53 UTC (Wed) by khim (subscriber, #9252) [Link] (22 responses)

That's like saying that we should remove oxygen masks, the black box, safety belts and the redundant engine from our airplanes because then we might cram in 12 % more passengers.

You want' by able to cram 12 % more passengers by removing the black box or safety belts. Now, if you'll remove the parachutes… now we are talking. Guess which percentage of passenger aircraft carry parachutes?

Guess what those do: they add bounds checking to your C compiler, because that makes it easier to debug!

Sure. And when airplane is tested pilots carry parachutes, too.

Yeah well, except that they don't really work right yet and aren't as efficient as they could be, had the language been designed with that in mind.

May be. But then if language will include parachutes^H^H^H^H^Hboundary checking then people will start relying on it (witness Java) and that's not a good thing to do.

Thanks for proving my point.

No. That YOU for really proving my point—even if unwittingly.

yet another proof...

Posted Apr 9, 2014 21:10 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (20 responses)

Can you remember the last buffer overflow bug in Java that was exploitable remotely? I'm not aware of anything like this recently.

Vulnerabilities in Java (and Python) tend to be of the "we forgot to sanitize input data and that allowed users to inject malicious JavaScript on other users' pages". Might be nasty, but nowhere near the Heartbleed or Debian SSL fiasco nastiness.

yet another proof...

Posted Apr 9, 2014 21:59 UTC (Wed) by PaXTeam (guest, #24616) [Link] (18 responses)

how recently? ;)

yet another proof...

Posted Apr 9, 2014 22:08 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (17 responses)

Can it be triggered remotely, or is it yet another "break-out-of-sandbox" vulnerability?

yet another proof...

Posted Apr 9, 2014 22:15 UTC (Wed) by PaXTeam (guest, #24616) [Link] (16 responses)

that's a false dichotomy.

yet another proof...

Posted Apr 10, 2014 8:46 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (15 responses)

No, it's not. Sandbox vulnerabilities are interesting only for the cases where an attacker is already running malicious code in a (probably browser) sandbox. And we can all agree that Java sandbox is way too leaky.

However, these two issues (as I understand it) can't allow attackers to hack a system through a Tomcat server running a typical website.

yet another proof...

Posted Apr 10, 2014 10:28 UTC (Thu) by PaXTeam (guest, #24616) [Link] (14 responses)

ok, let's elaborate then. it seems that you're living in the world of the 90's where the local/remote distinction (despite not being a full coverage of bug/exploit scenarios) was adequate to describe the problems known at the time.

remotely exploitable bugs meant that the attacker's machine (where the exploit was running) was a different machine from the one where the attacked/exploited software was running, typically granting the successful attack(er) some kind of access (the name 'shellcode' reflects until today the original goal) to the other ('remote') machine.

in a somewhat dubious contrast, locally exploitable bugs had been used for scenarios where an attacker had already access to a machine and wanted to elevate privileges by exploiting such a bug (typically a suid root application).

as you can guess, exploitable bugs in say browsers (and in general, 'client' side software) don't fit either category, since the attacker clearly has no a priori access to the attacked machine (so it can't be 'local') nor does he typically have direct remote access to it (so it's not really 'remote' in that old sense). this is why it's a false dichotomy to assume that a bug can either be triggered remotely *xor* just a 'local' privilege elevation. in the security world nobody calls all these java/DOM UAF/etc bugs 'local' in the old sense for this very reason, if anything, they're much closer to the old 'remote' concept.

as for these particular Java bugs, i honestly just hit on the first hits in the CVE search, i have no idea if these ones can specifically be triggered 'remotely' and be used for 'local' privilege elevation, but i'm also certain that some of the 'recently' disclosed bugs have been used for that very purpose.

in conclusion, no, Java has never been immunute to 'remote' attacks, be they memory corruption based or something higher level (suggested reading: http://blog.cr0.org/2010/04/javacalypse.html).

yet another proof...

Posted Apr 10, 2014 10:49 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (13 responses)

Again, you're not even thinking about my argument.

I said that these two exploits are not relevant for the most common Java use-case. So let me explain it.

Suppose that we have a server written in Java that also does all the SSL stuff. This server does NOT load Java code from untrusted locations. All the Java code on the server is unconfined and has the same level of access as a C program running under the same Unix user.

So your exploits are simply irrelevant here. There's no sandbox to break out from. Yet this server would be invulnerable to bugs like Heartbleed or garden-variety buffer overflows.

Do you know any JVM exploits relevant in this scenario?

Cries about Java insecurity because its sandbox is leaky are getting really old...

yet another proof...

Posted Apr 10, 2014 11:57 UTC (Thu) by PaXTeam (guest, #24616) [Link] (12 responses)

your original 'argument' (it keeps changing, maybe stick to one eventually?) was that Java didn't have any 'remotely' exploitable memory corruption bugs 'recently'. that's an obviously false statement, whether you're able to concede it or not.

next, whether any of these Java bugs were exploitable in a traditional 'server' context depends on whether said bugs were present and used/reachable on the 'server'. and that's something you cannot determine unless you prove that you know all the Java server code out there. just a simple example: there're services out there that allow users to upload files, say pictures, in various formats. bugs in processing them would allow remote exploitation of the server in the old sense that you're talking about.

note also that the linked bugs (and not exploits as you referred to them, by mistake) list many server side Java implementations as vulnerable. if you have evidence that they're listed in error please contact the securityfocus guys, i'm sure they'll appreciate your expert opinion. and while you're at it, tell the CoreImpact devs that their exploits don't actually work.

yet another proof...

Posted Apr 10, 2014 12:13 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (11 responses)

No, my argument is not changing. Java has not had any remotely exploitable bugs recently (I'm just being conservative here).

>next, whether any of these Java bugs were exploitable in a traditional 'server' context depends on whether said bugs were present and used/reachable on the 'server'.
I'm sure, that if we search hard enough then we can find a server that allows users to upload arbitrary files and then runs them under the 'root' user.

>just a simple example: there're services out there that allow users to upload files, say pictures, in various formats. bugs in processing them would allow remote exploitation of the server in the old sense that you're talking about.
No, they won't and that's the whole purpose of a safe language. Of course, assuming that image processing is written in Java.

>note also that the linked bugs (and not exploits as you referred to them, by mistake) list many server side Java implementations as vulnerable.
'Server-side Java implementations' use the same JVM as in browsers, so they also contain vulnerable code. Of course, for typical server-side apps this vulnerability is entirely irrelevant.

yet another proof...

Posted Apr 10, 2014 13:03 UTC (Thu) by PaXTeam (guest, #24616) [Link] (10 responses)

> No, my argument is not changing.

heh, if you say so ;). IOW, you're just unable to concede that you were wrong, let's move on then.

> I'm sure, that if we search hard enough then we can find a server that
> allows users to upload arbitrary files and then runs them under the 'root' user.

what's the root user have to do with anything? gaining access on a remote machine under *any* user counts as privilege elevation and hence a security issue. and where does 'runs uploaded files' come from? did you mistake my use of 'processing' for 'running'?

> No, they won't and that's the whole purpose of a safe language.

what do safe languages have to do with bugs? nothing? do you even know what a safe language is? in particular, do you know that it doesn't mean that buggy code cannot be written in it?

> Of course, assuming that image processing is written in Java.

irrelevant, there's no (turing complete) language that you cannot write buggy code in.

> Of course, for typical server-side apps this vulnerability is entirely irrelevant.

which vuln? i showed you only two of many dozens that were reported over the past few years, so if the security people telling you these two are remotely exploitable (you have yet to present your expert evidence to the contrary btw) doesn't convince you then you're welcome to read upon the rest and determine which one suits your foggy definition of whatever fits 'remotely exploitable'.

yet another proof...

Posted Apr 10, 2014 18:43 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (9 responses)

> what do safe languages have to do with bugs? nothing? do you even know what a safe language is? in particular, do you know that it doesn't mean that buggy code cannot be written in it?
'Safe language' by definition does NOT have buffer overflow or use-after-free bugs. So even if you bungle your image parser at most you'll get a well-defined error action (raised exception, abnormal termination, etc.)

>irrelevant, there's no (turing complete) language that you cannot write buggy code in.
Nope, you can't write buffer-overflowing code in a safe language. Feel free to try.

And this property (memory safety) is actually provable, it can't be reduced to the halting problem.

>which vuln?
Pretty much all of them.

yet another proof...

Posted Apr 10, 2014 20:44 UTC (Thu) by PaXTeam (guest, #24616) [Link] (8 responses)

> 'Safe language' by definition [...]

yeah, that's called the no true scotsman fallacy.

> And this property (memory safety) is actually provable, it can't be reduced to the halting problem.

what is provable depends on how you define the property, but i guess we're back to the above fallacy again.

> Pretty much all of them.

wow, that's some bold statement, so why don't you explain why all those Java bugs reported in the recent past are not exploitable on the server side?

yet another proof...

Posted Apr 10, 2014 20:59 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (6 responses)

> yeah, that's called the no true scotsman fallacy.
Incorrect. "No true Scotsman" would apply if I said that Java is not really a safe language, because....

> what is provable depends on how you define the property, but i guess we're back to the above fallacy again.
I defined it quite specifically: "No out-of-bound access or use-after-free is possible".

> wow, that's some bold statement, so why don't you explain why all those Java bugs reported in the recent past are not exploitable on the server side?
Because to exploit them on the server side you first need to be able to run your code within a sandbox _on_ _the_ _server_ _side_.

yet another proof...

Posted Apr 10, 2014 21:59 UTC (Thu) by PaXTeam (guest, #24616) [Link] (5 responses)

the fallacy is that you mixed up definition and implication, just so it suit your argument. that's an endless game i'm not exactly interested in playing ;).

as for "No out-of-bound access or use-after-free is possible", these don't guarantee memory safety therefore no such property is provable.

> ... you first need to be able to run your code ...

i think you've got the entirely wrong idea about this whole server-runs-java-with-exploitables-bugs-in-it thing. really, go read on all those bugs, i can't do it for you.

yet another proof...

Posted Apr 10, 2014 23:25 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

> as for "No out-of-bound access or use-after-free is possible", these don't guarantee memory safety therefore no such property is provable.
What exactly they don't guarantee?

In fact, these restrictions are more than enough for process separation without protected memory, just see SingularityOS as a proof-of-concept.

> i think you've got the entirely wrong idea about this whole server-runs-java-with-exploitables-bugs-in-it thing. really, go read on all those bugs, i can't do it for you.
I checked a couple of them. They are inevitably "code in browser can break out of sandbox".

Do you have anything else to say? Can you articulate a simple scenario where one of the listed vulnerabilities will be of a threat to a server running some Java server application?

yet another proof...

Posted Apr 10, 2014 23:57 UTC (Thu) by PaXTeam (guest, #24616) [Link] (3 responses)

1. initialized memory for one. lack of double frees for another, then lack of data races, etc. the CWE is your friend ;).

2. which ones did you check exactly? and why do you think they're not exploitable on a server? oh never mind, i asked for your expert opinion only a few times so far in vain. as for why the bugreporters thought those bugs were remotely explotable you'd better ask them, it seems you have a lot to discuss with them anyway given how Core claims to have exploits that you say are not possible ;).

yet another proof...

Posted Apr 11, 2014 0:00 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Initialization and lack of double-frees is covered by the 'no-use-after-free' requirement.

>which ones did you check exactly? and why do you think they're not exploitable on a server?

I checked several issues with public information from the CVEs related to Sun JVM.

Again, I'm asking a simple question - can you outline a scenario where the 'escape-from-sandbox' bugs would be relevant for server-side software?

yet another proof...

Posted Apr 11, 2014 0:21 UTC (Fri) by PaXTeam (guest, #24616) [Link] (1 responses)

> Initialization and lack of double-frees is covered by the 'no-use-after-free' requirement.

heh, no true scotsman strikes again. sorry, this isn't going anywhere, have a nice day ;).

yet another proof...

Posted Apr 11, 2014 0:24 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

So let me recap:
1) You simply got a couple of first hits from Google for "Java vulnerability".
2) You failed to understand the difference between attacking a sandbox and attacking a Java-based server.
3) On top of that, you don't understand what safe languages are about.

Well, that's par for the course....

yet another proof...

Posted Apr 10, 2014 21:02 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

> yeah, that's called the no true scotsman fallacy.

It's not the No True Scotsman fallacy if you're talking about something critical to the definition. For example, the definition of "scotsman" according to Google is "a male native or inhabitant of Scotland or a man of Scottish descent." Taking that definition as authoritative, one would not be committing the No True Scotsman fallacy by saying, "no true scotsman could possibly be female", or "no true scotsman is neither a native or inhabitant of Scotland nor of Scottish descent".

The only fallacy here, if there is one, is the failure to clearly define the term "safe language" before using it in an argument. A reasonable definition would at least include memory safety, however, since in the absence of memory safety one can circumvent any other restrictions.

yet another proof...

Posted Apr 12, 2014 0:19 UTC (Sat) by nix (subscriber, #2304) [Link]

Vulnerabilities in Java tend to be of the 'oops, we can break out of the SecurityManager and now the VM provides no protections at all and we can execute arbitrary code' variety. That is rather bad (at least, it is if you're expecting the VM to provide any more security than the underlying OS does, which a lot of fools did regardless of their enormous attack surface).

yet another proof...

Posted Apr 9, 2014 21:42 UTC (Wed) by HelloWorld (guest, #56129) [Link]

> Now, if you'll remove the parachutes… now we are talking. Guess which percentage of passenger aircraft carry parachutes?
The vast majority of incidents happen at takeoff or landing where a parachute is useless, in the remaining cases there's no time or room to put them on, passengers aren't trained to use them, and given the speed of modern passenger aircraft, they'd be slammed against the door by the wind and killed before you have a chance to jump, if they even make it to the door before freezing or suffocating. So they don't do that *because it doesn't work*, and not because it's “inefficient”.

> Sure. And when airplane is tested pilots carry parachutes, too.
So you agree with me that bounds checking does not hinder debugging as the OP asserted?

> But then if language will include parachutes^H^H^H^H^Hboundary checking then people will start relying on it (witness Java) and that's not a good thing to do.
How many more times do you want to attack this particular straw man? You're not arguing against checking bounds, you're arguing against throwing an exception in case of a failed check.

yet another proof...

Posted Apr 9, 2014 13:25 UTC (Wed) by HelloWorld (guest, #56129) [Link] (12 responses)

Oh, actually I have one more question: can you name *a single case* of a vulnerability caused by mistakenly catching an exception caused by bounds checking and breaking program invariants that resulted in an information leak or a code execution flaw?

yet another proof...

Posted Apr 9, 2014 16:58 UTC (Wed) by khim (subscriber, #9252) [Link] (2 responses)

Why would you need any code execution flaw if you can just log in without password and take what you want?

That is the typical result of messed up control flow (including bad exception handling) and frankly I prefer buffer overflows: typically these can not not be exploited by five years old.

yet another proof...

Posted Apr 9, 2014 19:21 UTC (Wed) by HelloWorld (guest, #56129) [Link]

We don't know *anything* about how that bug came to be. Using it as an argument for, well, anything, is just stupid beyond words.

yet another proof...

Posted Apr 12, 2014 14:22 UTC (Sat) by intgr (subscriber, #39733) [Link]

Are you suggesting that bounds-unchecked languages are invulnerable to "messed up control flow" bugs?

There's no tradeoff here. You can have a language with both sorts of bugs, or a language with only one kind of bugs.

yet another proof...

Posted Apr 12, 2014 0:21 UTC (Sat) by nix (subscriber, #2304) [Link] (8 responses)

I've had at least one in my own code that went live and got caught before anyone did any harm with it. (Thankfully, the users of the system in question were internal banking users that one would *hope* would have neither the knowledge nor inclination to attack their own systems. Ha ha ha yeah right.)

yet another proof...

Posted Apr 12, 2014 12:46 UTC (Sat) by HelloWorld (guest, #56129) [Link] (7 responses)

Really? You accessed an array out of bounds and mistakenly caught the exception, ultimately resulting in an information leak or code execution?

yet another proof...

Posted Apr 12, 2014 13:05 UTC (Sat) by mpr22 (subscriber, #60784) [Link] (6 responses)

After seeing a device driver written in C that contained the exact line case 11-255: in the body of a switch, I generally try to transcend my incredulity when hearing about mistakes people have made in the development of software. The error nix claims to have made is entirely plausible to me (and I'm having trouble imagining a plausible ulterior motive for him to falsely claim to have commited such an error); why are you having so much trouble believing it?

yet another proof...

Posted Apr 12, 2014 14:42 UTC (Sat) by HelloWorld (guest, #56129) [Link] (5 responses)

I'm having so much trouble believing it because it seems extremely unlikely to me. Messing up an array access? Sure. Catching the wrong exception? Of course! Messing up control flow through broken error handling? Why not! Breaking program invariants that lead to an information leak? Does happen. But all of those together? I find it more likely that nix missed one of the conditions that I set. I'm not assuming malice here. Maybe he messed up his exception control flow due to some other kind of Exception, that kind of detail is easy to miss in this kind of debate.

yet another proof...

Posted Apr 16, 2014 16:52 UTC (Wed) by nix (subscriber, #2304) [Link] (4 responses)

It was, indeed, all of those at once (though I didn't bother to prove that it could result in code execution, it was very definitely an 'attacker can now control the state of the program' bug, and if you can't elevate one of those into arbitrary code execution you need to try harder). Sorry you don't believe it, but your beliefs do not define reality.

yet another proof...

Posted Apr 16, 2014 20:54 UTC (Wed) by HelloWorld (guest, #56129) [Link] (3 responses)

Well, OK, so it happened once (though I don't really understand what you mean by “attacker can now control the state of the program” and how that relates to code execution in Java – but that's not the issue here).
Meanwhile in C-land... http://www.youtube.com/watch?v=2l7ixRE3OCw&t=39m25s

So I still think that the kind of bug you have experienced is much, *much* rarer than the typical C stack-smashing-and-code-execution bug.

yet another proof...

Posted Apr 20, 2014 18:54 UTC (Sun) by nix (subscriber, #2304) [Link] (2 responses)

I don't really understand what you mean by “attacker can now control the state of the program” and how that relates to code execution in Java
If the attacker can call arbitrary Java functions with arbitrary parameters, the attacker can compose arbitrary Java bytecode and execute it. It might take another security hole if running with a non-default SecurityManager or class loader, but do you really believe there are none of those left? :)

yet another proof...

Posted Apr 21, 2014 18:29 UTC (Mon) by HelloWorld (guest, #56129) [Link] (1 responses)

> the attacker can call arbitrary Java functions with arbitrary parameters
The only way that could work in Java is via introspection. That sounds like an interesting bug indeed, but I still think that this kind of thing is *nowhere near* as common as the typical stack smashing bug in C programs.

yet another proof...

Posted Apr 23, 2014 13:38 UTC (Wed) by nix (subscriber, #2304) [Link]

It's not as common -- but that was never in question. I prefer my goalposts to stay where they are and not wander around :)

yet another proof...

Posted Apr 11, 2014 6:33 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

> What if function in line (1) throws a exception?

You write an RAII wrapper for subscribe/unsubscribe? The code is obviously not exception safe, so the fact that it breaks on an exception is not surprise.

yet another proof...

Posted Apr 8, 2014 23:08 UTC (Tue) by artem (subscriber, #51262) [Link] (10 responses)

> The default behaviour for exceptions is to abort the program.

That's in theory. I've been programming in java for some time, and my impression is that in practice, when unexpected exception comes out from some library, the default behavior for typical application programmer is to slap try/catch around and see if it 'fixes' it. Because when it comes to a choice like this:

1. figure out how the library works and fix it
2. wait until fixed library will be released
3. ship the application

it's not hard to guess which one most people will choose.

yet another proof...

Posted Apr 8, 2014 23:28 UTC (Tue) by HelloWorld (guest, #56129) [Link] (1 responses)

Do you know what “default behaviour” means? Hint: it doesn't mean “behaviour when you ‘slap try/catch around’ it”.

yet another proof...

Posted Apr 9, 2014 1:52 UTC (Wed) by bojan (subscriber, #14302) [Link]

I think the point of the post was that because the default behaviour of the language is to terminate the program and finding out why and/or fixing it is harder than attempting to catch the exception, the latter is usually (and unfortunately) done in real world code. In other words, it is the default behaviour of many programmers, which, for all intents and purposes, overrides language defaults.

The net effect is that, again, good programs only exist as a result of good programming.

yet another proof...

Posted Apr 12, 2014 0:23 UTC (Sat) by nix (subscriber, #2304) [Link] (7 responses)

This is, of course, the combination of the useful paranoia mechanism which is checked exceptions and lazy/bad programmers.

Checked exceptions are *meant* to be a reminder that dammit you need to figure out a way to handle this error here. What it actually becomes in practice with sufficiently lazy or just plain bad programmers is a ritual of slapping

try { ... } catch (FooBarException e) {}

around code whenever a checked-exception error is given -- and that's if you're lucky! If you're unlucky, they catch Exception e or just Error e (IIRC, it's been a while: the superclass of Exception that contains runtime errors too).

yet another proof...

Posted Apr 12, 2014 1:24 UTC (Sat) by ABCD (subscriber, #53650) [Link]

The absolute worst case in Java is when someone catches Throwable, which is the base class that anything that can be thrown extends, including both Exception and Error. The only things that do not have to be caught are RuntimeExceptions (a subclass of Exception) and Errors; RuntimeExceptions should be caught quickly, Errors can happen at any time, and often imply the program might be better off crashing (especially OutOfMemoryError and InternalError).

yet another proof...

Posted Apr 12, 2014 13:18 UTC (Sat) by HelloWorld (guest, #56129) [Link] (5 responses)

> try { ... } catch (FooBarException e) {}
The answer to that is “don't do that then!”. The difference here is that it's very easy to write an out-of-bounds access by accident, while you explicitly have to type the above boilerplate, and you *know* that that's bad style (if you don't, you have other problems).

yet another proof...

Posted Apr 16, 2014 16:56 UTC (Wed) by nix (subscriber, #2304) [Link] (4 responses)

You really haven't seen many of the 'normal programmers' at which Java was aimed, have you? I've seen large codebases used to throw hundreds of millions of dollars around the world every single day which contain *thousands* of instances of exactly that pattern -- and that's after I spent months trying to clean them up: I gave up, the lazy programmers were introducing instances much faster than I could fix it. I pointed out that this was bad style, of course, but their answer was, at best, 'that error could never happen and it's too much work to figure out what to do about it, look! deadline!'. (If I was lucky. Some of them thought that exceptions were just the compiler whining at you for no good reason and that that pattern was what you were *meant* to do to 'fix' it. I managed to re-educate most of the members of this class working on that codebase into the former class, not that it did much good.)

yet another proof...

Posted Apr 17, 2014 0:50 UTC (Thu) by HelloWorld (guest, #56129) [Link] (3 responses)

What exactly are you arguing here? Is it that idiots will write buggy programs? I know that and I never claimed otherwise. Is it that checking bounds and throwing an exception when the check fails will result in just as many problems as not checking them? That's false, as a fucked-up control flow is both less likely and easier to prevent using source analysis tools.

Oh, and there's another way to solve the problem: fire those people. They probably have net negative productivity anyway. Once you get rid of idiots, many things become easier.

yet another proof...

Posted Apr 20, 2014 18:55 UTC (Sun) by nix (subscriber, #2304) [Link] (2 responses)

The problem is that in most companies that are not dedicated software houses, and even in many that are, and *certainly* in the sort of place at which Java was explicitly aimed, *most of the programmers are average*, i.e. what you call 'idiots'. You can suggest simply firing all of them, but believe me you won't find enough people much better than them to replace them, certainly not without an enormous outlay.

yet another proof...

Posted Apr 21, 2014 18:45 UTC (Mon) by HelloWorld (guest, #56129) [Link] (1 responses)

Your answer has nothing to do with the question I asked or the topic at hand. Again, what are you arguing here? That exceptions are too hard for “average” programmers?

yet another proof...

Posted Apr 23, 2014 13:41 UTC (Wed) by nix (subscriber, #2304) [Link]

It was a response in agreement and support of artem. No argument was intended, merely anecdata, that checked exceptions are, not 'too hard' for average programmers, merely *routinely worked around* by them, and certainly don't improve the state of error handling in programs such people work on over other languages. (Of course, in C, they'd never check errno, or check it in the wrong places...)

yet another proof...

Posted Apr 8, 2014 13:53 UTC (Tue) by Otus (subscriber, #67685) [Link]

> ... that secure software cannot be written in C, period.

All languages have their pitfalls. Memory allocation is one of C's, but for
something like OpenSSL there are also problems that are more difficult in
higher level managed languages. For example, avoiding timing attacks. It's
relatively straightforward to write an algorithm in C with a constant
runtime for all inputs, but with higher level languages you have to take
into account things like preallocated integers or what the JIT may decide to
do at runtime.

yet another proof...

Posted Apr 8, 2014 19:16 UTC (Tue) by welinder (guest, #4699) [Link] (3 responses)

Java is an example of a language in which you cannot make array bounds
mistakes. I'm not sure a close inspection of its security record would
come out positive, though.

yet another proof...

Posted Apr 9, 2014 5:51 UTC (Wed) by ibukanov (subscriber, #3942) [Link] (2 responses)

As a language Java is very secure. The problem comes from a really bad sandboxing model they use to run trust untrusted code. But if one does not to concern themselves with that like Java usage in a typical server environment, then the track record is very good.

But as it was noted above the GC in Java in general leaks too much timing information. This is what makes Java not suitable for implementing many kinds of cryptographic software.

yet another proof...

Posted Apr 9, 2014 5:57 UTC (Wed) by dlang (guest, #313) [Link] (1 responses)

there's also the minor problem that Java can't be written in Java, and the implementation of Java can still be vulnerable to all the problems of the language that it's written in.

yet another proof...

Posted Apr 9, 2014 7:50 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Java can be written in Java. Look at RVM for an example.

yet another proof...

Posted Apr 9, 2014 18:57 UTC (Wed) by alvieboy (guest, #51617) [Link]

... that secure software cannot be written in C, period. It's time that people grok that and stop using it.

Oh god, you better forget about flying then... and perhaps forget about using any other means of transportation. Ah, and don't use Satellites, nor anything else similar. They're mostly in ADA, but there's probably some "C" there also.

Alvie

yet another proof...

Posted Apr 10, 2014 12:51 UTC (Thu) by cmccabe (guest, #60281) [Link] (15 responses)

This is a slashdot-level discussion that I'm sad to see on LWN.

The obvious fact is, there are many tools out there that could have detected a read of uninitialized memory in C/C++/C-whatever. valgrind, thread sanitizer, electric fence, are all out there, just an apt-get away. Any one of those tools would have instantly thrown up a red flag when confronted with this kind of thing. You might have to disable the custom memory allocator first, or do some work to integrate it with the tool, but that's not really too difficult (the disabling especially.)

If anything productive comes out of this vulnerability, hopefully it will be awareness of the need to use stuff like valgrind and unit tests.

yet another proof...

Posted Apr 10, 2014 13:11 UTC (Thu) by HelloWorld (guest, #56129) [Link] (13 responses)

> This is a slashdot-level discussion that I'm sad to see on LWN.
No, it's the truth. Using C in todays world is the moral equivalent of not having airbags or safety belts in your car. The fact that people deny this only shows that even today people don't understand how bad the situation with computer security really is.

The tools you mention wouldn't have helped as they aren't used in production and they would have likely been useless during debugging because the bug is never triggered through well-behaved clients. Perhaps fuzzing would have helped for this particular bug, but it's unrealistic to expect each and every memory safety bug to be discovered that way. So we desperately need something like Rust in today's world.

yet another proof...

Posted Apr 10, 2014 18:03 UTC (Thu) by pizza (subscriber, #46) [Link] (12 responses)

> Using C in todays world is the moral equivalent of not having airbags or safety belts in your car.

No, Using C in today's world is the equivalent of looking both ways before crossing the street.

yet another proof...

Posted Apr 10, 2014 18:49 UTC (Thu) by HelloWorld (guest, #56129) [Link] (11 responses)

We've had memory protection in our operating systems for decades, precisely because every sane person realized that “just program carefully!” does *not* work in the real world. Sorry, you're part of the problem, not part of the solution.

yet another proof...

Posted Apr 10, 2014 19:39 UTC (Thu) by pizza (subscriber, #46) [Link] (1 responses)

> Sorry, you're part of the problem, not part of the solution.

Without my being "part of the problem" your computer would be be useful for little more than a doorstop. So, respectfully, take your attitude and shove it.

yet another proof...

Posted Apr 10, 2014 20:13 UTC (Thu) by HelloWorld (guest, #56129) [Link]

> Without my being "part of the problem" your computer would be be useful for little more than a doorstop.
That remains to be proven. Actually it's pretty much impossible to prove it, since you can't know what would have happened if C hadn't caught on.

yet another proof...

Posted Apr 10, 2014 19:45 UTC (Thu) by pizza (subscriber, #46) [Link] (8 responses)

> We've had memory protection in our operating systems for decades, precisely because every sane person realized that “just program carefully!” does *not* work in the real world.

Memory protection separates *independent processes*, not memory within the same process.

Meanwhile, how do you think you're able to take advantage of that? Via someone "programming carefully" with C code.

yet another proof...

Posted Apr 10, 2014 20:12 UTC (Thu) by HelloWorld (guest, #56129) [Link] (7 responses)

> Memory protection separates *independent processes*, not memory within the same process.
No shit!

The point is that telling people to "program carefully" *does not scale*. It doesn't scale when you want to prevent program A from taking program B with it when it crashes, and it doesn't scale when you want to prevent security bugs like this one.

> Meanwhile, how do you think you're able to take advantage of that? Via someone "programming carefully" with C code.
Yeah, that's the point. *Someone* has to program carefully, not *everyone* has to program carefully in order for the OS not to crash.

yet another proof...

Posted Apr 10, 2014 20:42 UTC (Thu) by mpr22 (subscriber, #60784) [Link] (4 responses)

If you want secure, reliable software, then memory safety in the language semantics is useful (since it makes certain kinds of carefulness easier to achieve), but careful design, careful implementation, and careful testing are all essential.

yet another proof...

Posted Apr 10, 2014 21:07 UTC (Thu) by HelloWorld (guest, #56129) [Link] (3 responses)

Sure, I didn't advocate memory-safe languages as a replacement for everything else. Yet that's the straw man people keep attacking around here.

yet another proof...

Posted Apr 11, 2014 10:11 UTC (Fri) by etienne (guest, #25256) [Link] (2 responses)

> Sure, I didn't advocate memory-safe languages as a replacement for everything else

But you advocate it for kernel, where most of it is drivers, where a lot of them use physical memory addresses (PCIe mapped, I/O mapped, ...) and DMA out of control of the processor (and no, there is no generic DMA, only local and tricky per-device DMA - at least on standard PC).
If you want to forbid those drivers to write to a non-allocated pointer, you need to give them the way to bypass so that they can do their work...
Part of the solution could be to have a clean interface in between the processor and the drivers, but people keep buying strange hardware with crappy interface because it is $0.01 cheaper and had a lot of advertisement.
Even an encryption library may want to access hardware assisted encryption.

Also, we had an old Intel processor which was made for security, everybody refused to buy/use it.
We have an option in GCC on ia32 doing bound checking (I do not know if it is still working), and for free (not a very expensive proprietary thing), nobody accepted to use/improve it.

So, use C by default to shift megabytes from and to the kernel, but I would like a language which knows what is physical memory, what is virtual memory, that there is different kind of memory (cached level 1, cached level 2, on motherboard, on another NUMA node, persistent, PCIe memory, non cache-able, non-writeable, only accessible on 32 bits boundary, reserved for a local processor, processor specific registers...), a language that knows what is an interrupt and what is an exception, and a language that acknowledge that there may be another task/thread running.
Please make that language simple and up-to-date (SIMD)...

yet another proof...

Posted Apr 11, 2014 11:59 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

The 432 failed not because it was designed for security, but because it was designed for security by architecture astronauts.

yet another proof...

Posted Apr 11, 2014 12:46 UTC (Fri) by HelloWorld (guest, #56129) [Link]

Sure, there are places in the kernel where you can't use a memory-safe language. But the conclusion of that shouldn't be to give up on it altogether and *never* do it, which is what is currently being done. C# has “unsafe” blocks, and that's where we need to go: give up on it only where it's needed and make it explicit.

yet another proof...

Posted Apr 10, 2014 20:45 UTC (Thu) by raven667 (subscriber, #5198) [Link] (1 responses)

While I agree with the sentiment that most application programs should be written in a safer environment than C, you are conceding the argument that some low level code, the OS kernel and re-usable libraries, may be written in C by programming very carefully. Wouldn't the SSL library fall into this category? What exactly is being argued here?

yet another proof...

Posted Apr 10, 2014 21:49 UTC (Thu) by HelloWorld (guest, #56129) [Link]

> While I agree with the sentiment that most application programs should be written in a safer environment than C, you are conceding the argument that some low level code, the OS kernel and re-usable libraries, may be written in C by programming very carefully.
Where am I supposed to have conceded that? The only thing I'd like to see implemented in such languages is the parts of the stack needed to set up the safe environment where everything else is done. That includes the part of the kernel where memory management and memory protection are implemented (which is *not* the entire kernel). It also includes garbage collectors and language runtimes. But OpenSSL? Why, why on earth??

Actually, there's another category of code where bounds checking is useless: algorithms with a formal proof of memory safety (not necessarily a complete proof of the correctness of the algorithm). This shouldn't be *that* hard for the core cryptographic algorithms in OpenSSL.

Why nobody found this with e.g. valgrind

Posted Apr 11, 2014 0:48 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

As I read first on Slashdot, of all places if you disable OpenSSL's "my first malloc" custom allocator, the entire library begins to behave weirdly because, of course, they don't test anything properly or have much idea what they're doing.

http://www.tedunangst.com/flak/post/analysis-of-openssl-f...

So, for over four years OpenSSL has what amounts to a use-after-free bug that they get away with (except if they lose the race condition...) only because their custom allocator is garbage. And not only did they not fix this problem, they didn't even acknowledge the bug reports.

Blissful ignorance.

But what's actually sad is that over the past few months it has been handily illustrated that nobody in this line seems to have much of a clue what they're doing. Except perhaps Microsoft.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 13:11 UTC (Tue) by cumbos (guest, #95741) [Link] (3 responses) 

 % wget http://s3.jspenguin.org/ssltest.py 
 % python ssltest.py openssl.org
 Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
 ... received message: type = 22, ver = 0302, length = 3274
 ... received message: type = 22, ver = 0302, length = 331
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 6C 2E 6F 72  ....#.......l.or
  00e0: 67 00 0B 00 04 03 00 01 02 00 0A 00 34 00 32 00  g...........4.2.
  00f0: 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 0A 00  ................
  0100: 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00  ................
  0110: 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 10 00  ................
  0120: 11 00 0D 00 22 00 20 06 01 06 02 06 03 05 01 05  ....". .........
  0130: 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02  ................
  0140: 01 02 02 02 03 01 01 63 65 75 79 5A 41 36 4C 49  .......ceuyZA6LI
  0150: 57 63 77 44 51 59 4A 4B 6F 5A 49 68 76 63 4E 41  WcwDQYJKoZIhvcNA
  0160: 51 45 46 42 51 41 44 67 67 45 42 41 48 35 59 2F  QEFBQADggEBAH5Y/
  0170: 2F 30 31 0A 47 58 32 63 47 45 2B 65 73 43 75 38  /01.GX2cGE+esCu8
  0180: 6A 6F 77 55 2F 79 79 67 32 6B 64 62 77 2B 2B 42  jowU/yyg2kdbw++B
  0190: 4C 61 38 46 36 6E 52 49 57 2F 4D 2B 54 67 66 48  La8F6nRIW/M+TgfH
  01a0: 62 63 57 7A 6B 38 38 69 4E 56 79 32 50 33 55 6E  bcWzk88iNVy2P3Un
  01b0: 58 77 6D 57 0A 7A 61 44 2B 76 6B 41 4D 58 42 4A  XwmW.zaD+vkAMXBJ
  01c0: 56 2B 4A 4F 43 79 69 6E 70 58 6A 39 57 56 34 73  V+JOCyinpXj9WV4s
  01d0: 34 4E 76 64 46 47 6B 77 6F 7A 5A 35 42 75 4F 31  4NvdFGkwozZ5BuO1
  01e0: 57 54 49 53 6B 51 4D 69 34 73 4B 55 72 61 58 41  WTISkQMi4sKUraXA
  01f0: 45 61 73 50 34 0A 31 42 49 79 2B 51 37 44 73 64  EasP4.1BIy+Q7Dsd
  0200: 77 79 68 45 51 73 62 38 74 47 44 2B 70 6D 51 51  wyhEQsb8tGD+pmQQ
  0210: 39 50 38 56 69 6C 70 67 30 4E 44 32 48 65 70 5A  9P8Vilpg0ND2HepZ
  0220: 35 64 66 57 57 68 50 42 66 6E 71 46 56 4F 37 36  5dfWWhPBfnqFVO76
  0230: 44 48 37 63 5A 45 0A 66 31 54 31 6F 2B 43 50 38  DH7cZE.f1T1o+CP8
  0240: 48 78 56 49 6F 38 70 74 6F 47 6A 34 57 31 4F 4C  HxVIo8ptoGj4W1OL
  0250: 42 75 41 5A 2B 79 74 49 4A 38 4D 59 6D 48 56 6C  BuAZ+ytIJ8MYmHVl
  0260: 2F 39 44 37 53 33 42 32 6C 30 70 4B 6F 55 2F 72  /9D7S3B2l0pKoU/r
  0270: 47 58 75 68 67 38 46 0A 6A 5A 42 66 33 2B 36 66  GXuhg8F.jZBf3+6f
  0280: 39 4C 2F 75 48 66 75 59 35 48 2B 51 4B 34 52 34  9L/uHfuY5H+QK4R4
  0290: 45 41 35 73 53 56 50 76 46 56 74 6C 52 6B 70 64  EA5sSVPvFVtlRkpd
  02a0: 72 37 72 37 4F 6E 49 64 7A 66 59 6C 69 42 36 58  r7r7OnIdzfYliB6X
  02b0: 7A 43 47 63 4B 51 45 4E 0A 5A 65 74 58 32 66 4E  zCGcKQEN.ZetX2fN
  02c0: 58 6C 72 74 49 7A 59 45 3D 0A 2D 2D 2D 2D 2D 45  XlrtIzYE=.-----E
  02d0: 4E 44 20 43 45 52 54 49 46 49 43 41 54 45 2D 2D  ND CERTIFICATE--
  02e0: 2D 2D 2D 0A 0A 0A 43 65 72 74 69 66 69 63 61 74  ---...Certificat
  02f0: 65 3A 0A 20 20 20 20 44 61 74 61 3A 0A 20 20 20  e:.    Data:.   
  0300: 20 20 20 20 20 56 65 72 73 69 6F 6E 3A 20 33 20       Version: 3 
  0310: 28 30 78 32 29 0A 20 20 20 20 20 20 20 20 53 65  (0x2).        Se
  0320: 72 69 61 6C 20 4E 75 6D 62 65 72 3A 20 34 35 20  rial Number: 45 
  0330: 28 30 78 32 64 29 0A 20 20 20 20 53 69 67 6E 61  (0x2d).    Signa
  0340: 74 75 72 65 20 41 6C 67 6F 72 69 74 68 6D 3A 20  ture Algorithm: 
  0350: 73 68 61 32 35 36 57 69 74 68 52 53 41 45 6E 63  sha256WithRSAEnc
  0360: 72 79 70 74 69 6F 6E 0A 20 20 20 20 20 20 20 20  ryption.        
  0370: 49 73 73 75 65 72 3A 20 43 3D 49 4C 2C 20 4F 3D  Issuer: C=IL, O=
  0380: 53 74 61 72 74 43 6F 6D 20 4C 74 64 2E 2C 20 4F  StartCom Ltd., O
  0390: 55 3D 53 65 63 75 72 65 20 44 69 67 69 74 61 6C  U=Secure Digital
  03a0: 20 43 65 72 74 69 66 69 63 61 74 65 20 53 69 67   Certificate Sig
  03b0: 6E 69 6E 67 2C 20 43 4E 3D 53 74 61 72 74 43 6F  ning, CN=StartCo
  03c0: 6D 20 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20  m Certification 
  03d0: 41 75 74 68 6F 72 69 74 79 0A 20 20 20 20 20 20  Authority.      
  03e0: 20 20 56 61 6C 69 64 69 74 79 0A 20 20 20 20 20    Validity.
...

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 13:44 UTC (Tue) by moltonel (subscriber, #45207) [Link] (2 responses)

Sigh... I can reproduce this on openssl.org, and on my own laptop after unpatching it, but not on a random selection of domains out there.

If the original vulnerability and the various opinions of bad code quality didn't cast a horribly bad light on the openssl project, not applying their own critical patch really should. I'm sure they're very busy right now, but this is ridiculous. For all I know, I could be going through a MITM when downloading the updated code from openssl.org.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 13:48 UTC (Tue) by lkundrak (subscriber, #43452) [Link] (1 responses)

Note the exploit in wide circulation is broken (probably unintentionally though). It sends the heartbeat twice and often times out waiting for first heartbeat's response.

Remove one of "s.send(hb)" calls if you suspect your site should be vulnerable, but the tool reports otherwise.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 8:41 UTC (Wed) by viiru (subscriber, #53129) [Link]

There appear to be a long list of critical problems with the ssl setup at openssl.org: https://www.ssllabs.com/ssltest/analyze.html?d=openssl.or...

Either this hasn't been maintained for years or the person who is supposed to be maintaining it has no clue. Based on the reported Apache version number the later option seems more likely.

Whew... dodged this bullet from laziness

Posted Apr 8, 2014 15:51 UTC (Tue) by dskoll (subscriber, #1630) [Link]

Our outside-facing servers still run Squeeze. *phew*

Now I wonder what unpatched vulns there are in Squeeze that have been fixed in Wheezy? :( Bah, software sucks!

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 16:34 UTC (Tue) by branden (guest, #7029) [Link] (1 responses)

I'm starting a pool on how long it takes Ben Laurie to blame this defect on someone else.

The OpenSSL "heartbleed" vulnerability

Posted Apr 10, 2014 3:43 UTC (Thu) by flewellyn (subscriber, #5047) [Link]

Why him in particular? I must be missing some context.

The OpenSSL "heartbleed" vulnerability

Posted Apr 8, 2014 23:35 UTC (Tue) by stressinduktion (subscriber, #46452) [Link] (4 responses)

I wonder if mmap secret data (like secret keys in this case) manually far away from the heap could be of any help.

On rare accesses one could protect the memory with mprotect(PROT_NONE) and only functions needing to deal with those data could temporary use PROT_READ to get access. But that seems to be pretty expensive on servers where a tlb flush has to be done on page permission changes.

The OpenSSL "heartbleed" vulnerability

Posted Apr 9, 2014 23:19 UTC (Wed) by lkundrak (subscriber, #43452) [Link] (3 responses)

Every data is secret here.

Consider an ordinary https-decrypting proxy server here. Most of the data in the memory is the connection data -- headers with session cookies and log-in requests with passwords included or the data it was meant to protect.

Surely, you could protect the keys, but it won't be much of a win at all.

The OpenSSL "heartbleed" vulnerability

Posted Apr 11, 2014 17:30 UTC (Fri) by stressinduktion (subscriber, #46452) [Link] (2 responses)

I think it is a win, even only a small one, to not have to change all the certificates and keys.

Btw, akamai just posted a (prototype) patch adding secure storage for private keys to openssl:
http://www.mail-archive.com/openssl-users@openssl.org/msg...

The OpenSSL "heartbleed" vulnerability

Posted Apr 11, 2014 18:01 UTC (Fri) by gioele (subscriber, #61675) [Link]

The patch is a variant of another that has been used in production for years, says the author.

Sometimes I understand why AGPL is needed.

The OpenSSL "heartbleed" vulnerability

Posted Apr 16, 2014 16:48 UTC (Wed) by nix (subscriber, #2304) [Link]

Heh. Rich Salz. Haven't seen *that* name for a long time.

I wondered what he was doing these decades...

Any word on CAs and Cert regeneration

Posted Apr 9, 2014 0:32 UTC (Wed) by martin.langhoff (subscriber, #61417) [Link] (8 responses)

Anyone affected by this (say, a good part of the HTTPS hosts out there!) will need to regen their Certs.

Is there any word on any CA offering special pricing on cert regeneration?

Any word on CAs and Cert regeneration

Posted Apr 9, 2014 0:33 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

GoDaddy can re-key certificates for free. I think StartSSL also does this.

Any word on CAs and Cert regeneration

Posted Apr 9, 2014 8:14 UTC (Wed) by ovitters (guest, #27950) [Link] (3 responses)

StartSSL wants you to pay to revoke your key. As the ease of stealing the private key is very high, you need to revoke all your private keys. Else someone could still setup a man in the middle attack.

Any word on CAs and Cert regeneration

Posted Apr 9, 2014 13:06 UTC (Wed) by seneca6 (guest, #63916) [Link]

This shows the importance of a community CA like CAcert, as opposed to free certs given by a for-profit company. (The availability of the latter was one of the arguments given in the discussion of the recent Debian bug report that led to exclusion of the CAcert root.)

Any word on CAs and Cert regeneration

Posted Apr 9, 2014 19:14 UTC (Wed) by dlang (guest, #313) [Link] (1 responses)

revoking keys is of questionable use. How many clients check the revocation lists?

Any word on CAs and Cert regeneration

Posted Apr 10, 2014 0:32 UTC (Thu) by mirabilos (subscriber, #84359) [Link]

Not enough. Not even a few. We're lucky most clients nowaday check the Common Name, and maybe subjectAltName, of the certs…

Any word on CAs and Cert regeneration

Posted Apr 9, 2014 21:34 UTC (Wed) by mirabilos (subscriber, #84359) [Link]

https://bugzilla.mozilla.org/show_bug.cgi?id=994033

Startcom / StartSSL refuses to rekey any certificates, and even refuses the fallback option of revoking them (with or without the ability to get new certificates from them for the revoked ones, doesn't matter) at no cost.

A select few individuals have reported success citing the CVE, but I, along with others, have been denied certificate revocation.

This is utterly inacceptable for a CA.

Any word on CAs and Cert regeneration

Posted Apr 9, 2014 0:48 UTC (Wed) by bojan (subscriber, #14302) [Link]

Starfield does it for free.

Any word on CAs and Cert regeneration

Posted Apr 10, 2014 5:53 UTC (Thu) by Cato (guest, #7643) [Link]

RapidSSL certificates can be re-issued for free through the verisign.com website - at least those bought via SSLmatrix but probably the reseller doesn't matter. Not expensive anyway, and have pretty good browser compatibility.


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds