|
|
Subscribe / Log in / New account

Toward a more approachable Rust

Toward a more approachable Rust

Posted Feb 23, 2017 14:49 UTC (Thu) by tshow (subscriber, #6411)
In reply to: Toward a more approachable Rust by peter-b
Parent article: Toward a more approachable Rust

By a similar argument, because there are orders of magnitude more drownings in water than ammonia or acetic acid, it would be irresponsible to fill a new swimming pool with water in 2017.

C definitely wasn't built with security in mind, and there are definitely problems with it, but "C codebases" are also the majority of the attack surface out there.

to post comments

Toward a more approachable Rust

Posted Feb 23, 2017 15:34 UTC (Thu) by pizza (subscriber, #46) [Link] (7 responses)

> C definitely wasn't built with security in mind, and there are definitely problems with it, but "C codebases" are also the majority of the attack surface out there.

Are you sure about that? I mean, we're in a bit of a C echo chamber here, but large-scale data breaches are almost never due to anything C-related (ie a buffer overflow) -- instead things like not changing default/hardcoded passwords, network sniffing of insecure connections, SQL insertion, cookie hijacking (and other XSS-type stuffs), and so forth -- and of course let's not forget the "disgruntled employee" who just copies everyhing onto a USB stick and walks out the door...

Toward a more approachable Rust

Posted Feb 23, 2017 17:54 UTC (Thu) by tshow (subscriber, #6411) [Link]

Right, but you aren't fixing any of those by switching to Rust either. We're presumably talking about the subset of security bugs that can be fixed with a "better" programming language.

Toward a more approachable Rust

Posted Feb 24, 2017 8:26 UTC (Fri) by peter-b (subscriber, #66996) [Link] (2 responses)

> Are you sure about that? I mean, we're in a bit of a C echo chamber here, but large-scale data breaches are almost never due to anything C-related (ie a buffer overflow)

"Almost never"

https://blog.cloudflare.com/incident-report-on-memory-lea...

Toward a more approachable Rust

Posted Feb 24, 2017 12:35 UTC (Fri) by pizza (subscriber, #46) [Link] (1 responses)

Okay, what part of "large scale data breach" applies here? Couldfare's bug _could_ have led to some data being leaked, but I'm finding it hard to imagine that happening on any sort (organized) scale.

C buffer overflows weren't responsible for 1 billion Yahoo accounts having their credentials compromised. They weren't responsible for the multiple point-of-sale compromises that were responsible for my credit cards being revoked three times in a single calendar year (including one actual fraud attempt) Buffer overflows weren't responsible for the Federal OMB's compromise of literally millions of highly sensitive personnel files. They aren't responsible for the Classified info leaked by Snowden or Manning. More down to earth, Buffer overflows weren't responsible for the Murai botnet with upwards of half a million webcams compromised by a fixed backdoor that yielded total access. Buffer overflows have nothing to dow with folks [re]using weak passwords on every online acount. Buffer overflows don't matter at all to [spear] phishing that deliberately targets folks with keys to the kingdom, or systems with "special managment exceptions" because executives can't be bothered to abide by the same security procedures as their underlings.

...And so on.

Sure, at an individual level those overflows can (and do) suck, and we should absolutely fix them. But let's not delude ourselves into thinking that getting rid of C sill have _any_ effect on piss-poor system design and the utter fallibility of the person sitting between the keyboard and the chair.

Toward a more approachable Rust

Posted Feb 24, 2017 12:43 UTC (Fri) by pizza (subscriber, #46) [Link]

Upon reflection I suppose we don't know what led to the Yahoo breach -- not even they know, apparently -- but the silver lining there is that there's finally a tangible cost to poor security practices -- about $0.35/user, which in aggregate is large enough for the suits to start caring.

Toward a more approachable Rust

Posted Feb 25, 2017 5:17 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Your timing was simply impeccable: https://lwn.net/Articles/715535/

Toward a more approachable Rust

Posted Feb 25, 2017 12:40 UTC (Sat) by pizza (subscriber, #46) [Link] (1 responses)

Yeah, it was just about perfect timing :)

But on a more serious note -- Due to the nature of how the Cloudfare CDN caching/proxying/rewriting works, this bug seems to be more of an information leak of random data rather than something that can be realistically harnessed/targeted to extract specific, targeted information, as it is heavily dependent on:

1) The exact page contents of what you're requesting (Granted, if you can control the contents of the page being cached, you could conceivably construct pages to maximixe this)
2) The other page requests that were served before yours and their contents, size, timing, and whatnot. Given the scale of the Cloudfare CDN, this is the sticking point..

It's not like heartbleed where you could just hammer a single, specific, targeted server again and again and adjust the parameters until you saw something interesting.

...Am I wrong in my interpretation?

Granted, with sufficient time, data capture, and a considerable amount of analysis, one could probably map the random extra stuff one was seeing to at least specific domains, which might enable some targets of opportunity -- eg a specific user session (cookie hijacking), perhaps a random user's credentials if you're really lucky, and possibly even a MITMing of an entire domain if you're able to extract its private TLS key in drips and drabs.

It's lousy, but it's not "our entire user database has been downloaded without anyone knowing" lousy.

Toward a more approachable Rust

Posted Feb 25, 2017 16:43 UTC (Sat) by excors (subscriber, #95769) [Link]

> if you can control the contents of the page being cached

That part seems trivial: sign up as a Cloudflare customer and publish a page that triggers the parser bug.

> The other page requests that were served before yours and their contents, size, timing, and whatnot. Given the scale of the Cloudfare CDN, this is the sticking point..

If you want to target users of a specific site, I guess you could perhaps write a page like:

<script>
var xhr1 = new XMLHttpRequest();
xhr1.open("GET", "https://very-secure-site-using-cloudflare.example/");
xhr1.withCredentials = true;
xhr1.send();

var xhr2 = new XMLHttpRequest();
xhr2.open("GET", "page-that-triggers-the-parser-bug.html");
xhr2.onload = function() { /* send the content back to the attacker */ }
xhr2.send();
</script>

and host it via Cloudflare, and make users run that script (e.g. distribute it through an ad network).

If the user is already logged into the target site, the first request will send their credentials (cookies etc) over HTTPS, which will hopefully end up unencrypted in the Cloudflare cache server's memory. (The XHR security model assumes GETs don't trigger side effects, and it won't allow the attacker to read the cross-origin response, so that request would normally be safe). The second request will trigger the parser bug, Cloudflare will append random memory content to the response, and (since it's a same-origin request) the attacker can read that response.

Since the two requests are being made by the same user there's a reasonable chance they'll end up going through the same cache server, and since the requests are nearly simultaneous there's a reasonable chance the leaked data will come from the corresponding first request instead of being mixed up with other users' requests. Repeat a few million times until success.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds