How To Prevent the Next Heartbleed - Slashdot

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

×

How To Prevent the Next Heartbleed 231

Posted by timothy on Saturday May 03, 2014 @10:05PM from the leave-your-comment-in-the-form-of-an-exploit dept.

dwheeler (321049) writes "Heartbleed was bad vulnerability in OpenSSL. My article How to Prevent the next Heartbleed explains why so many tools missed it... and what could be done to prevent the next one. Are there other ways to detect these vulnerabilities ahead-of-time? What did I miss?"

This discussion has been archived. No new comments can be posted.

How To Prevent the Next Heartbleed

Search 231 Comments Log In/Create an Account

Comments Filter:

In the US: force the NSA to disclose them (Score:1, Interesting)

by Anonymous Coward writes: on Saturday May 03, 2014 @10:45PM (#46911055)

If you want to find the next one and are in the US, force your broken government to disclose the ones they're already using on civilian targets (both in the US and abroad).

Share
twitter facebook
Re:Static analysis (Score:4, Interesting)

by arth1 ( 260657 ) writes: on Sunday May 04, 2014 @12:31AM (#46911391) Homepage Journal

OpenSSL was static analyzed with Coverity. However, Coverity did not discover this, as is a parametric bug, which depends on variable content.
The reaction from Coverity was to issue a patch to find this kind of problem, but in my opinion, the "fix" throws the baby out with the bath water. The fix causes all byte swaps to mark the content as tainted. Which surely would have detected this bug, but it also leads to an enormous amount of false positives for development where swabs are common, like cross- or multi-platform development.
And while it finds "defects" this way, it's not the real problem it finds.
So in my opinion, 0 out of 10 points to Coverity for this knee-jerk reaction.
In my opinion, what's wrong here is someone with a high level language background submitting patches in a lower level language than what he's used to. The problems that can cause are never going to be 100% (or even 50%) caught by static analysis. Lower level languages does give you enough rope to hang yourself with. It's the nature of the beast. In return, you have more control over the details of what you do. That you're allowed to do something stupid also means you are allowed to do something brilliant.
But it requires far more discipline - you cannot make assumptions, but have to actually understand what is done to variables at a low level.
Unit tests and fuzzing helps. But even that is no substitute for thinking low level when using a low level language.

Parent Share
twitter facebook
Re:How about (Score:4, Interesting)

by Artifakt ( 700173 ) writes: on Sunday May 04, 2014 @12:34AM (#46911401)

The US Army will swear that I was once, many moons ago, officially certified in Ada, whether that means anything or not. I never liked it much, even though I did turn in successful code a few times, and I really have a problem with Ada for open source applications - Yes, in theory, Ada has some very strong security functions by design, but it's definitely not going to result in the 'many eyes make all bugs shallow' effect. I actually read your post as deliberately tongue in cheek at first, what with phrases such as 'extremely unsafe'.
But as I think more about it, one of the problems revealed by Heartbleed is open sourcing the target code didn't result in a lot of properly trained eyes passing over that code. I never thought I'd encourage anyone to learn Ada after I got out of the service (just as I never thought I'd encourage anyone to start a cult worshipping many-tentacled, eldritch, blasphemous horrors from beyond space-time as we delusionally try to limit our conceptions of it to preserve our fundamental human sanity, and for much the same reasons), but I have to admit, you may have a damned good argument for Ada there.I don't know if the extensive compile time checking of Ada 2012 could have automatically caught the bug that made Heartbleed possible - the last version of Ada I've really used is 95, but I'd be really interested to hear from someone who's current if they think Ada is just about totally bulletproof against this sort of bug, because even the older versions I recall had some features that would have made it hard to make this sort of mistake.

Parent Share
twitter facebook
Re:How about (Score:5, Interesting)

by Pricetx ( 1986510 ) writes: on Sunday May 04, 2014 @08:20AM (#46912259)

A quote from the "Insane Coding" blog, which in turn quotes from the book "cryptography engineering":
The issues with higher level languages being used in cryptography are:
- Ensuring data is wiped clean, without the compiler optimizations or virtual machine ignoring what they deem to be pointless operations.
- The inability to use some high-level languages because they lack a way to tie in forceful cleanup of primitive data types, and their error handling mechanisms may end up leaving no way to wipe data, or data is duplicated without permission.
- Almost every single thing which may be the right way of doing things elsewhere is completely wrong where cryptography is concerned.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.