oss-sec mailing list archives
Re: Asserts considered harmful (or GMP spills its sensitive information)
From: halfdog <me () halfdog net>
Date: Tue, 01 Jan 2019 13:12:04 +0000
Jeffrey Walton writes:
The GMP library uses asserts to crash a program at runtime when presented with data it did not expect. ...
For me, that seems to be the best way. In the end the discussion is mostly about if you value confidentiality and integrity over availability (and a little confidentiality as shown by you). Usually for highly secure systems (those where availability is top priority are quite often safety-critical, not security), you can mitigate effects of such a DoS permanently (by fixing the program) but you cannot reverse the effects of leaked data, which happens more easily by corrupting/manipulating a target program state and get the data exfiltrated by the target itself than gaining access to the machine another way and read (unnoticed) core dumps created even via another mechanism. Also cleaning up corrupted data is often much more expensive than having some outage and then start again. This is what your 24/7 devops team is for (with highly secure systems). So in my opinion your example, even when it demonstrates a small information leak on aborting, is even a better example, why aborting was the right thing to do: on the first highly secure system, where your software aborted, the malfunction was detected immediately and easily. Thus it was possible to fix it timely and you avoided having broken software running for years without getting noticed (by developers, operators or worse: attackers). Note 1: The only exception for functions NOT aborting on corrupted data are secure "validate-data-functions" or "parse-functions" (if they provide secure data validation also). Note 2: Little off-topic, but in the same line more APIs should abort on insane requests. So for example I do not understand, why read(2) should EFAULT on bad addresses instead of SEGV. The only thing I use this feature for is to probe memory maps inside chroots (or where /proc/self/maps is inaccessible for other reasons). But maybe EFAULT is a very useful POSIX feature in use cases I did not think about yet. hd
Current thread:
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information), (continued)
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 01)
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 02)
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 02)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Vincent Lefevre (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Torbjörn Granlund (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 06)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 06)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 03)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Torbjörn Granlund (Jan 03)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 03)