Undefined Behaviour as usual
Undefined Behaviour as usual
Posted Feb 24, 2024 2:03 UTC (Sat) by tialaramex (subscriber, #21167)In reply to: Undefined Behaviour as usual by pizza
Parent article: Stenberg: DISPUTED, not REJECTED
For the file deletion situation the usual way this comes up is that bad guys hijack a program (whatever its purpose may have been) to execute arbitrary code (not something it was intended to do, but ultimately not hard to achieve in some UB scenarios as numerous incidents have demonstrated). Then they do whatever they like, which in some cases may include deleting your files (perhaps after having preserved an encrypted "backup" they can sell to you).
Posted Feb 24, 2024 3:12 UTC (Sat)
by pizza (subscriber, #46)
[Link] (17 responses)
Seriously? Calling that the consequence of "undefined behaviour" is beyond farcical, as the _computer operator_ is *deliberately choosing* to delete files.
Just because the operator is unauthorized doesn't make them not the operator.
And "undefined behaviour" is not a requirement for, nor does it necessarily lead to, arbitrary command execution.
Posted Feb 25, 2024 18:28 UTC (Sun)
by tialaramex (subscriber, #21167)
[Link] (16 responses)
Emotionally it's satisfying to insist that you're right and Mother Nature is wrong. But pragmatically the problem is that Mother Nature doesn't care how you feel about it
And it's going to keep happening until you stop doing the thing that doesn't work, even though you find that emotionally unsatisfying as an outcome.
Posted Feb 25, 2024 23:39 UTC (Sun)
by pizza (subscriber, #46)
[Link] (15 responses)
No, Alisdair and I both claim it can't happen *unless someone intentionally writes code to make it happen*
...It won't happen by pure happenstance. (Which even your contrived script kiddie example demonstrates)
> But pragmatically the problem is that Mother Nature doesn't care how you feel about it
Uh.. there is nothing "natural" about computer software or even computer hardware; they cannot operate in ways that exceed what they were designed to do. But that's neither here nor there; "Mother Nature" doesn't respond to unexpected stimulus in arbitrary ways either; nature has rules that governs how it functions. (Granted, we don't understand many/most of them, but that doesn't mean they don't exist.)
For example, reading an initialized memory cell yields "undefined" results. However, in reality (sorry, "Nature") the value will either be 1 or 0. It literally cannot be anything else, because the computer can only register a 1 or a 0 in response to that input -- you won't ever get a value of "0.661233123413" or "blue". So yes, it is "undefined" but it is *bounded*. What happens in repsonse to that? That depends on what that value is used for in the larger system.
Going back to the curl not-a-CVE, when the worst possible outcome is that the user gets access to one byte of data they already had access to, there is no path from that read to "nuke your filesystem" unless curl is being used within a system already designed to nuke your filesystem (or the OS or runtime or whatever was intentionally designed to nuke your filesystem) if you read-out-of-bounds.
Another way of looking at this is that sure, the contents of that extra byte is technically undefined, but so is every other byte in the HTTP response from the server -- including whether or not you get one at all. Similarly, what the server does as a result of you making that request is also undefined and largely outside your control. It could trigger thermonuclear war for all you know. But it won't trigger global thermonuclear war unless someone deliberately gave it those capabilities. In other words, undefined, but *bounded*.
Posted Feb 26, 2024 6:40 UTC (Mon)
by mb (subscriber, #50428)
[Link] (11 responses)
That is not true.
The rest of your post is also largely not true. But that has been explained often enough to you, so I won't repeat.
Posted Feb 26, 2024 9:10 UTC (Mon)
by geert (subscriber, #98403)
[Link] (1 responses)
Posted Feb 26, 2024 9:16 UTC (Mon)
by mb (subscriber, #50428)
[Link]
Posted Feb 27, 2024 20:24 UTC (Tue)
by pizza (subscriber, #46)
[Link] (8 responses)
A TRNG does not respond "arbitrarily"; it still can only operate within its design constraints, which of course includes the characteristics of the materials it was constructed from. And, while any given read of a TRNG is "undefined" the value is bounded, with each discrete value being equally probabilistic as long as it is used within its designed operating conditions. [1]
It will always return a value between 0.0 and 1.0. [2] It cannot return "Fred" or kill your cat unless you put it into a box with a vial of poison.
...And the physical phenomenon that the RNG is measuring also has to have bounds, or you'd not be able to detect it -- Certain stimuli can make these events more likely (yay, Fission!) but that's just a change in probabilities [3] The point being, they don't respond "arbitrarily". Your Pb isn't going to turn into Au because a butterfly flapped its wings halfway across the world. Either an atom decays or it doesn't. Either an electron crosses the P-N junction or it doesn't.
[1] Several $dayjobs ago, I helped design a TRNG, so I have a decent idea how they work... and when they fail.
Posted Feb 27, 2024 20:46 UTC (Tue)
by mb (subscriber, #50428)
[Link] (7 responses)
Posted Feb 27, 2024 22:12 UTC (Tue)
by pizza (subscriber, #46)
[Link] (6 responses)
How exactly does a high school physics experiment support your claim that "Mother Nature doesn't respond to unexpected stimulus in arbitrary ways either; nature has rules that governs how it functions" is "not true"? [1]
...This experiment shows that we are still trying to figure out what those rules are, not that they don't exist!
It certainly doesn't change the fact that while any given observation is unpredictable, the probabilities are. (eg you can't predict an the decay of an individual atom, but you can accurately predict the overall _rate_ of decay of a mole of them)
[1] https://lwn.net/Articles/963598/
Posted Feb 28, 2024 10:20 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (5 responses)
That's all, folks.
Cheers,
Posted Feb 28, 2024 12:19 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Feb 29, 2024 14:24 UTC (Thu)
by pizza (subscriber, #46)
[Link] (2 responses)
Yeah, so? That doesn't demonstrate that Nature behaves arbitrarily and doesn't follow rules; it demonstrates that Nature's rules are a lot more complicated than we previously understood.
Posted Feb 29, 2024 18:29 UTC (Thu)
by mb (subscriber, #50428)
[Link]
https://en.wikipedia.org/wiki/Laplace%27s_demon
Nature has inherent randomness and undefined behavior.
Posted Feb 29, 2024 21:08 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
We have classical physics, where everything follows rules and is deterministic.
We have relative, which iirc is the same.
And then we have quantum, where things happen at the micro level, but the rules only work at the macro level - we have no idea what (if any at all) the deterministic rules are. Especially as the main thing behind quantum seems to be the making of something out of nothing - if we have nothing there to start with, how can there be anything there to apply deterministic rules TO!?
So if quantum is basically nothing, surely it's reasonable to assume the quantum rules are nothing, too :-)
Cheers,
Posted Feb 29, 2024 21:02 UTC (Thu)
by rschroev (subscriber, #4164)
[Link]
Posted Feb 26, 2024 7:40 UTC (Mon)
by jem (subscriber, #24231)
[Link] (2 responses)
I can easily imagine a memory technology where reading an uninitialized memory cell produces the value 1, and could on the next read (still uninitialized) produce the value 0. If you repeat the process a sufficient number of times you could end up with a mean value of 0.661233123413.
Posted Feb 26, 2024 11:20 UTC (Mon)
by mpr22 (subscriber, #60784)
[Link]
Mmm, delicious sparkling bits. (The client was doing something ill-advised – can't remember whether it was power down or just hard reset – to the system while MLC NOR Flash was being programmed, which is admittedly something a bit worse than just "uninitialized memory".)
Posted Feb 26, 2024 15:04 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
Ordinary DRAM can work that way; the capacitor in the DRAM cell is in one of three states; 0, intermediate, and 1. Intermediate is read out as either 0 or 1, but whether intermediate can stay at intermediate, or ends up forced to 0 or 1 on read depends on details of the DRAM design. Some DRAM designs will force the cell to 0 or 1 state on the first read or refresh, others have a more stochastic process where the cell can stay at intermediate until it's written (which sets the state to either 0 or 1, unconditionally), but may stabilise randomly.
And because this is outside the DRAM specifications (normally - you can get slightly more expensive DRAM ICs which guarantee read stability even without writes), different batches of the same IC may have different behaviours. In practice, you need special cases to observe this, since every refresh cycle counts as a read for the purposes of stabilizing the value, and any cell that's been written to is also stable.
As a result, you need to be depending on reads being stable even if the cell hasn't been written yet, and be reading from the DRAM shortly after it's been powered up, before there's been enough refresh cycles to stabilize its value, and using DRAM that can take several read or refresh cycles to stabilize the cell values. The first is almost certainly a lurking bug in your code (it was in the case I hit, it just took a long time to find and fix it, and the "quick" fix was to buy more expensive DRAM that guaranteed stability while we hunted down the software bug), the second pretty much requires you to be running code directly from flash or ROM, not booting the way a PC does (since the boot sequence takes long enough that you've had many 64ms or shorter refresh cycles during boot), and the third requires you to be unlucky with the specific DRAM ICs you buy.
Undefined Behaviour as usual
Undefined Behaviour as usual
Undefined Behaviour as usual
Undefined Behaviour as usual
https://en.wikipedia.org/wiki/Hardware_random_number_gene...
Undefined Behaviour as usual
Undefined Behaviour as usual
Unless the hardware access is correctly marked as unsafe volatile memory access. Which of course is necessary for every access to the real world (a.k.a. hardware) outside of the language's virtual machine model.
Undefined Behaviour as usual
[2] Strictly speaking it should also be able to return "Failure"
[3] Which is itself a predictable physical property of the materials, and is taken into account in the TRNG design.
Undefined Behaviour as usual
Undefined Behaviour as usual
Undefined Behaviour as usual
Wol
Undefined Behaviour as usual
Wol
Undefined Behaviour as usual
Undefined Behaviour as usual
Laplace's demon is wrong.
The thinking that we just don't know all the rules is wrong.
Undefined Behaviour as usual
Wol
Undefined Behaviour as usual
Undefined Behaviour as usual
Undefined Behaviour as usual
Undefined Behaviour as usual