oss-sec mailing list archives

Re: Asserts considered harmful (or GMP spills its sensitive information)

From: halfdog <me () halfdog net>
Date: Tue, 01 Jan 2019 13:12:04 +0000

Jeffrey Walton writes:

The GMP library uses asserts to crash a program at runtime
when presented with data it did not expect.  ...


For me, that seems to be the best way. In the end the discussion
is mostly about if you value confidentiality and integrity over
availability (and a little confidentiality as shown by you).

Usually for highly secure systems (those where availability
is top priority are quite often safety-critical, not security),
you can mitigate effects of such a DoS permanently (by fixing
the program) but you cannot reverse the effects of leaked data,
which happens more easily by corrupting/manipulating a target
program state and get the data exfiltrated by the target itself
than gaining access to the machine another way and read (unnoticed)
core dumps created even via another mechanism.

Also cleaning up corrupted data is often much more expensive
than having some outage and then start again. This is what your
24/7 devops team is for (with highly secure systems).


So in my opinion your example, even when it demonstrates a small
information leak on aborting, is even a better example, why
aborting was the right thing to do: on the first highly secure
system, where your software aborted, the malfunction was detected
immediately and easily. Thus it was possible to fix it timely
and you avoided having broken software running for years without
getting noticed (by developers, operators or worse: attackers).

Note 1: The only exception for functions NOT aborting on corrupted
data are secure "validate-data-functions" or "parse-functions"
(if they provide secure data validation also).

Note 2: Little off-topic, but in the same line more APIs should
abort on insane requests. So for example I do not understand, why
read(2) should EFAULT on bad addresses instead of SEGV. The only
thing I use this feature for is to probe memory maps inside chroots
(or where /proc/self/maps is inaccessible for other reasons).
But maybe EFAULT is a very useful POSIX feature in use cases
I did not think about yet.

hd

Current thread:

Re: Re: Asserts considered harmful (or GMP spills its sensitive information), (continued)
- - - Re: Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 01)
    - Re: Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 02)
    - Re: Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 02)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Vincent Lefevre (Jan 01)
  - Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 01)
    - Re: Asserts considered harmful (or GMP spills its sensitive information) Torbjörn Granlund (Jan 01)
    - Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 01)
    - Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 01)
    - Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 06)
    - Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 06)
- Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Marco Bodrato (Jan 03)
  - Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 03)
    - Re: Asserts considered harmful (or GMP spills its sensitive information) Torbjörn Granlund (Jan 03)
    - Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 03)