DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
Posted May 2, 2022 8:19 UTC (Mon) by mjg59 (subscriber, #23239)In reply to: DeVault: Announcing the Hare programming language by ddevault
Parent article: DeVault: Announcing the Hare programming language
https://git.sr.ht/~sircmpwn/hare/tree/master/item/crypto/... - as an app developer targeting the standard library, how do I know whether or not my keys are going to be stored securely or not?
Posted May 2, 2022 8:22 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (45 responses)
Posted May 2, 2022 9:28 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (44 responses)
Posted May 2, 2022 9:35 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (43 responses)
Posted May 2, 2022 9:42 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (42 responses)
Posted May 2, 2022 9:49 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (41 responses)
Posted May 2, 2022 9:52 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (19 responses)
Look if you can't understand that this is a thing that will happen in the real world and that people will potentially suffer as a result you shouldn't be writing a crypto library. The absolute best thing you could do right now is move the entire crypto directory out of your stdlib until it's fully reviewed by people who understand not only cryptography but also threat modelling.
Posted May 2, 2022 9:54 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (16 responses)
Posted May 2, 2022 9:59 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (3 responses)
Posted May 2, 2022 18:12 UTC (Mon)
by bluss (guest, #47454)
[Link] (2 responses)
Posted May 2, 2022 19:00 UTC (Mon)
by Natanael_L (guest, #158286)
[Link]
If you're doing it as a hobby, it should be your obligation to advertise it as NOT being secure enough for deployment for anything handling sensitive information.
Posted May 4, 2022 15:46 UTC (Wed)
by Ashton (guest, #158330)
[Link]
Posted May 2, 2022 13:14 UTC (Mon)
by ncm (guest, #165)
[Link] (11 responses)
Posted May 2, 2022 13:18 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (10 responses)
Posted May 2, 2022 17:02 UTC (Mon)
by Lionel_Debroux (subscriber, #30014)
[Link] (4 responses)
Posted May 2, 2022 17:04 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (3 responses)
Posted May 3, 2022 10:31 UTC (Tue)
by nix (subscriber, #2304)
[Link] (1 responses)
You think "silently fails insecure if conditions not advertised outside the source tree happen to be true and no way to pick an alternative, but advertised as being extra-secure" is a good thing, really?
Meanwhile, supporting key storage in YubiKeys would fix this problem by being portable to arbitrary operating systems, plus it has relatively low cost for keys capable of such things, is *literally trivial* to implement because Yubico provide not only libraries in multiple languages but an actual written spec, and should be pretty easy to make work on any device capable of USB communication -- but you arbitrarily declare it as out of scope Or if not YubiKeys, how about one of the countless other devices, most free hardware, with the same capabilities? Or how about at least not claiming the library is secure when it's not? There are *so many* ways to get out of this hole ever so easily, but instead you're literally simply refusing to engage or fix this obvious problem in any of the dozen-plus ways available to you or even acknowledge that it is a problem... because you don't like Matthew's tone. This really does not fill me with enthusiasm for your new language at all.
Posted May 3, 2022 10:34 UTC (Tue)
by ddevault (subscriber, #99589)
[Link]
Again, the YubiKey suggestion lacks an understanding of the scope of this module and of the standard library in general.
Posted May 4, 2022 15:46 UTC (Wed)
by Ashton (guest, #158330)
[Link]
Posted May 2, 2022 18:40 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (1 responses)
Telling a well known expert he's clueless is going to get pretty much everyone here writing you off as not worth paying any attention to. (I'd pretty much done that already, but this really does hammer the point home!).
Cheers,
Posted May 2, 2022 19:42 UTC (Mon)
by corbet (editor, #1)
[Link]
Posted May 3, 2022 4:43 UTC (Tue)
by rsidd (subscriber, #2582)
[Link] (2 responses)
Posted May 3, 2022 5:04 UTC (Tue)
by mjg59 (subscriber, #23239)
[Link] (1 responses)
Posted May 3, 2022 7:00 UTC (Tue)
by rsidd (subscriber, #2582)
[Link]
Posted May 6, 2022 15:17 UTC (Fri)
by daniel.glasser (guest, #97146)
[Link] (1 responses)
Secure key management can be difficult and not at all portable in my experience. Hare, and its libraries, are fairly new. No doubt, given enough exposure, there will be improvements as those libraries evolve.
Posted May 6, 2022 16:55 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
If there's no underlying secure key storage mechanism, why provide a "secure key storage" library on that platform? If you're going to provide one that's best effort, why not provide a mechanism for the programmer to confirm that it's not using the heap, but instead using a secure storage location?
And note that the core problem is not so much that the library as it exists now is problematic (after all, Hare has not yet been ported to a non-Linux platform), as the attitude underlying it that the programmer can't be trusted to do the right thing if the library tells the programmer what the true state is. That's not a good look for a language whose claimed USP is that it "trusts the programmer" - if the programmer can be trusted, a simple "bool is_secure_storage()" would be enough.
Posted May 2, 2022 13:14 UTC (Mon)
by HelloWorld (guest, #56129)
[Link] (10 responses)
Posted May 2, 2022 13:19 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (9 responses)
Posted May 2, 2022 14:54 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
So how do I conditionally compile Hare such that if a secure keystore isn't available, my code refuses to compile? This module isn't that, because it works cross-platform, even if there is no secure keystore available.
In effect, it's opportunistically downgrading my code if I move from a platform like Linux with a secure keystore to one without, and long experience shows that opportunistic downgrades are a really bad thing for security. An opportunistic upgrade would be if you (e.g.) detected use of the bytes::zero secure zeroing operation, and upgraded from "normal" storage to a secure keystore.
What I, as a developer doing my best to not add too many more security bugs to the world, is for my code to actively alert the next developer (which might even be me a few years later) if they are making decisions that contradict things my code assumes is true. This particular module does exactly the opposite - if I make decisions that are true assuming the keystore is secure (which is testably true on Linux), and then someone uses my code on FreeBSD (where it's not true in this version of the code), then the user who switches to FreeBSD has introduced flaws I wasn't expecting to have to handle.
Posted May 3, 2022 10:36 UTC (Tue)
by nix (subscriber, #2304)
[Link] (7 responses)
Now maybe you're saying most people will never be attacked so there's no point worrying about this -- but in that case why encrypt anything at all? The whole point of encrypting things is to stop attackers from reading them! Maybe you think that most attackers won't be sufficiently dedicated... but it only takes one attacker to write a tool to do whatever thing you think is difficult and suddenly it's easy and every script kiddie is doing it.
Posted May 3, 2022 10:38 UTC (Tue)
by ddevault (subscriber, #99589)
[Link] (6 responses)
Posted May 3, 2022 12:59 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (4 responses)
The specific concern I have is related to a user trusting the programmer. The problem here is that the language sets me up for a fall if I do trust the programmer.
Assume I'm administrating a FreeBSD fleet; I discover a need, and find a program written in Hare that fills that need. The documentation written by the programmer asserts several security claims that are true on the assumption that a secure keystore is used, and false otherwise. Being a conscientious sysadmin, before relying on the documentation, I first compile the program and run its test suite.
Here's where the pain lies - because there's no way for a Hare programmer to fail the tests if the keystore is not actually secure (but instead heap memory), I see a full set of passes. And then I get burnt because I trusted the programmer, but the language provided no way for the programmer to tell me that, because of my system choices, my trust is misplaced.
And this applies even if the programmer is conscientious - in autotools C, for example, I'd note that keyctl is not available, and not compile in the "in memory secure" keystore, because it's not present on this platform. It'd then be obvious to the conscientious sysadmin that in memory key storage is not available on FreeBSD, and that you need another implementation (be that PKCS#11, TPMv2, Yubikey, or whatever else the programmer designed in), or that I can't trust the security claims that depend on keyctl.
If Hare wanted me to be able to trust the programmer, there would at a minimum be a way for the programmer to prevent the code relying on the key store if it's not secure. That mechanism is not present here.
Posted May 3, 2022 13:16 UTC (Tue)
by ddevault (subscriber, #99589)
[Link] (3 responses)
This is an error in the downstream software, not in Hare. We cannot prevent programmers from making untruthful claims about their software. And, *again*, storing secrets in the heap in the face of the lack of a kernel-managed keystore *does not directly make your program insecure*.
Posted May 3, 2022 13:40 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (2 responses)
It's also a bug in Hare, because it claims to be a secure keystore, but it's not on some systems. And while storing secrets in the heap does not directly make your program insecure, I'm not talking about that - I'm referring to the case where the program does things to ensure that it's secure as long as the keys are not on the heap or stack outside of the times they're used.
And again, it's trivial to fix in Hare - just an is_secure_store function that returns true on Linux, false on other platforms for now.
Posted May 3, 2022 13:43 UTC (Tue)
by ddevault (subscriber, #99589)
[Link] (1 responses)
> On platforms without a suitable feature, a fallback implementation stores the secrets in the process heap, providing no security. This is an opportunistic API which allows your program to take advantage of these features if available.
In my opinion, this is very clear.
Posted May 3, 2022 13:45 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
And in my opinion, it's not clear at all - which platforms have secure storage? How do I tell my users that they've chosen a platform that doesn't work the way I want it to? How do I prevent use of the keystore when it's not actually secure?
Posted May 3, 2022 13:45 UTC (Tue)
by nix (subscriber, #2304)
[Link]
They wouldn't. They would search the set of people using whatever-it-is and filter out those running Linux, knowing that *all the rest* were storing the keys on the heap and they could use heap spraying or whatever. (For which they'd probably need another vulnerability. They're very good at chaining these things together...)
Posted May 2, 2022 16:23 UTC (Mon)
by wtarreau (subscriber, #51152)
[Link] (9 responses)
Posted May 2, 2022 16:25 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (8 responses)
> On platforms without a suitable feature, a fallback implementation stores the secrets in the process heap, providing no security. This is an opportunistic API which allows your program to take advantage of these features if available.
If that's not suitable for your needs, then you need to use something else.
Posted May 2, 2022 16:56 UTC (Mon)
by dkg (subscriber, #55359)
[Link] (7 responses)
I agree that opportunistic security can useful. But there are circumstances where the developer needs a guarantee, not opportunism. If Hare had an explicit method for requiring secure storage of keys during compilation, which would fail if the underlying OS doesn't offer support, then a developer who wants a strong security guarantee can have it, and a developer who is happy with the opportunistic approach could have it too.
And, some future static analyzer could look for instances of opportunistic use in systems that really need to offer stronger guarantees by seeing which interface was selected.
You're introducing a programming language to an interested potential user base here. Why sabotage the introduction by defensively rejecting useful feedback?
Posted May 2, 2022 16:59 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (6 responses)
Posted May 2, 2022 18:22 UTC (Mon)
by wtarreau (subscriber, #51152)
[Link] (5 responses)
Posted May 2, 2022 18:28 UTC (Mon)
by ddevault (subscriber, #99589)
[Link] (3 responses)
Even so, we do not rely entirely on the docs. Again, crypto::keystore is just a small part of a larger secure system, and with defense in depth its failure is unlikely to be an issue. Using crypto::keystore on a system without secure kernel key management does not actually introduce a security bug - it just gives an opportunity for exploitation if you find *another* bug which allows you to read arbitrary memory from the process (the likelihood of which is prevented, again, defense in depth, by things like bounds-checked slices). Our other cryptographic APIs are also designed to make errors as unlikely as possible, such as via mandatory error handling and automatic zeroing of caller-provided private data.
Posted May 3, 2022 10:26 UTC (Tue)
by peter-b (guest, #66996)
[Link] (2 responses)
Aww, shucks. As a programmer who sometimes writes less than perfect code, it sounds like Hare is not for me.
Posted May 3, 2022 10:27 UTC (Tue)
by ddevault (subscriber, #99589)
[Link]
Posted May 4, 2022 4:01 UTC (Wed)
by timrichardson (subscriber, #72836)
[Link]
Posted May 2, 2022 19:48 UTC (Mon)
by mathstuf (subscriber, #69389)
[Link]
Interesting take. Any evidence for "vast majority of code"?
> because these languages are so painful and stubborn that when you don't know how to express something that sounds simple and the compiler refuses, you have to attack it another side and at some point you run out of ideas.
Ah, yes, because I enjoy having to figure out what data is tracked by which mutex manually (and somehow communicating this to everyone else that works in the vicinity) instead of the compiler saying "uh, hey, did you forget to consider threads here?". Yes, much better when I have to pick up someone else's debugging state to figure out what went wrong. Repeat for uninitialized data, memory management miscommunications, single-threaded code being improperly used from multiple threads[1], etc. </s>
If you're working in tricky areas, expect tricky code. I'd rather someone convince the compiler that they got it right instead of expecting anyone else coming along and fixing warnings or whatever tripping over those 3 lines that took an hour to get right because threads are hard and the comment was ignored by `clang-tidy -fix` and a rubber stamp review.
[1] I agree with you: docs are not enough, you need something more. Rust's `Sync` trait seems to do well enough.
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
Your library: puts it on the heap if I'm on any kernel other than Linux
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
Wol
...and this kind of comment really doesn't help the situation either. Please can we try to calm things down a bit?
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
In a security context, being opportunistic is broken.
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
Drew, the feedback you're getting here is good feedback. You'd do the hare project a favor by listening instead of explaining why you're right and they're wrong.
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language
DeVault: Announcing the Hare programming language