Re: OpenSSL Hacks
- From: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)
- Date: Tue, 13 Jun 2006 20:33:25 +0000 (UTC)
Douglas A. Gwyn wrote:
Buffer overrun is
possible on many platforms when a null pointer is used as though it
pointed to allocated storage,
I do not know of any widely used platform where this is the case. Do you?
Like I said before, buffer overrun may well be possible on some obscure
platforms that are not widely used, or on hypothetical platforms that
exist only in our imagination but are not ruled out by the C standard.
I don't dispute that. One can easily come up with dozens of examples of
imaginary platforms where this is the case. The question is whether it
is a real issue for real platforms in widespread use. I do not believe
it is. On the platforms that I'm familiar with, dereferencing a null
pointer will cause the program to trap and terminate prematurely, but
will not cause a buffer overrun.
Second, if a component of a protocol suddenly quits, the effect
can be quite varied depending on the context. Unhandled violation
of a protocol could have serious security consequences, especially
when the implementation is oblivious to that possibility.
If you design a system where premature termination of any one process
can cause integrity or confidentiality failures of the whole system,
then you've got bigger problems. Like I wrote earlier, there are usually
a gazillion ways to perform a denial-of-service attack on a component,
or on the whole system. If the system has been architectured in such
a way that a successful denial-of-service attack on one component can
harm the integrity or confidentiality of the system as a whole, then
you've probably got problems whether you use OpenSSL or not. If your
system has been architected in that way, the correct fix is to change
the architecture.
Of course, there are some applications where availability and resistance
to denial-of-service are a crucial security goal. In those applications,
OpenSSL may be the wrong tool for the job. But my experience is that
those cases are pretty rare, when it comes to Internet-connected apps.
Most Internet-connected apps that I have ever inspected are vulnerable
to some sort of denial-of-service attack or another, and users just don't
care all that much.
Third, the unchecked malloc issue was just one example I gave that
I thought would be noncontroversial.
Well, I guess it was more controversial than you realized. If you have
other examples of other kinds of bugs or vulnerabilities, feel free to share
them. I suspect there are people who would be interested.
The aggregate effect of all
the deficiencies found was such as to undermine any confidence in
the security properties.
That's fine. But like I keep saying, there is an important difference
between "I found a security vulnerability" and "I found bugs that
undermine my confidence in its security properties". You wrote the
former, but apparently meant the latter. But the two are not equivalent.
If you found a honest-to-goodness exploitable security vulnerability,
there is usually no doubt that the implementation is insecure. With the
latter, it is a judgement call, and one has to judge how substantial
the risk is, how serious the bugs were, how much risk one is willing to
accept, how much confidence is needed, and whether there are any better
alternatives. I don't know why you insist on defending your initial
claim that you found security vulnerabilities, if the worst you found
is an unchecked malloc and potential null pointer dereference.
.
- References:
- OpenSSL Hacks
- From: John E. Hadstate
- Re: OpenSSL Hacks
- From: Douglas A. Gwyn
- Re: OpenSSL Hacks
- From: David Wagner
- Re: OpenSSL Hacks
- From: Douglas A. Gwyn
- OpenSSL Hacks
- Prev by Date: Re: Please Help in finding solution
- Next by Date: Re: Could anyone verify a term for me?
- Previous by thread: Re: OpenSSL Hacks
- Next by thread: Re: OpenSSL Hacks
- Index(es):
Relevant Pages
|
|
