RE: Serious OpenSSL vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Date: Sun, 13 Apr 2014 15:48:23 +0200
> From: fatkasuvayu+linux@xxxxxxxxx
> To: users@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: Serious OpenSSL vulnerability
>
> On Sun, Apr 13, 2014 at 08:38:11AM -0500, Ranjan Maitra wrote:
> > On Sun, 13 Apr 2014 09:15:04 -0400 Rahul Sundaram <metherid@xxxxxxxxx>
> > wrote:
> >
> > > Hi
> > >
> > >
> > > On Sun, Apr 13, 2014 at 6:23 AM, Timothy Murphy wrote:
> > >
> > > > Roger wrote:
> > > >
> > > > > It happened. It was known for years.
> > > >
> > > > Everything I have seen says it has been known for about 1 week.
> > > >
> > > > Incidentally, I am no programmer but I would have thought
> > > > it would be relatively simple to set up a test
> > > > to see if a "malloc"-ed space could be transgressed.
> > > >
> > >
> > > Not in this case. openssl uses a custom malloc
> > >
> >
> > So, a valgrind -tool=memcheck --leak-check=yes --show-reachable=yes
> > --track-fds=yes --track-origins=yes would not have helped?
>
> AFAIU this is not a memory leak; it is a buffer overflow: lack of bounds
> checking. I do not think valgrind (or any other tool) can help with
> that. Feel free to correct me if I am wrong.
>
> Cheers,
>
> --
> Suvayu
>
> Open source is the future. It sets us free.
> --
> users mailing list
> users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org

Yes it's possible to compile C programs (with certain tradeoffs) to do bounds-checking with some compiler environments.

I don't know if it would have protected against the heartbleed vulnerability but MemGuard possibly could have caught a simple bounds overrun. See AppArmor now maintained by Novell. Nice summary of options at http://www.seas.gwu.edu/~simhaweb/security/summer2005/Stuart2.ppt‎

Ubuntu's chart of security features includes it but again it's unclear if OpenSSL would have been protected by it in this case: https://wiki.ubuntu.com/Security/Features

There is a performance hit for enabling bounds-checking during compile time, but that seems worthwhile for infrastructure services.

An early publication at:


QUOTE:

Array Bounds Checking for C

Richard Jones and Paul Kelly have developed a gcc patch [12] that does full array bounds checking for C programs. Programs compiled with this patch are compatible with ordinary gcc modules, because they have not changed the representation of pointers. Rather, they derive a ``base'' pointer from each pointer _expression_, and check the attributes of that pointer to determine whether the _expression_ is within bounds.

The performance costs are substantial: a pointer-intensive program (ijk matrix multiply) experienced  tex2html_wrap_inline879 slowdown. Since the slowdown is proportionate to pointer usage, which is quite common in privileged programs, this performance penalty is particularly unfortunate.

However, this method is strictly more secure than StackGuard, because it will prevent all buffer overflow attacks, not just those that attempt to alter return addresses, or other data structures that are perceived to be sensitive (see Section 5.4). Thus we propose that programs compiled with the bounds-checking compiler be treated as the ``backing store'' for MemGuard-protected programs, just as MemGuard-protected programs are the back-up plan for Canary-protected programs (see Section 3.3).

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux