[Cryptography] I don't get it.
Peter Fairbrother
zenadsl6186 at zen.co.uk
Tue Apr 15 16:46:55 EDT 2014
I don't get it.
Apple has an unreachable code goto, and it hurts security. OpenSSL has a
bounds check failure, and it hurts security (and even OpenBSD gets
another hole).
(no, I am not a fan of Theo's security stance - but it has been better
that most)
But as far as I can see, almost all of the big holes in the last ten
years could have been caught by good code checkers.
I wonder who committed the OpenSSL heartbeat change.
I wonder whether anyone at all at OpenSSL thought about whether it would
be more secure *not* to implement the heartbeat option in the first
place. Or even if someone at any time thought about that.
Perhaps most of all, I wonder whether it would be a good idea to shoot
all the gcc developers.
I am no expert in bugs, but it seems to me that about 99% of the
reported security bugs and holes and so-on could be solved by having a
secure checking compiler. Which checked for most of the known holes, or
perhaps just even the top five.
A long long time ago, about 2002, I asked Ben Laurie for some advice
about co-writers for security software. Amongst other things he said
"don't let them us C++ - it's too powerful". The specific advice may
have been meant only for me in my situation, but it contains a basic
truth - languages are, or can be, too powerful.
So, perhaps a prechecker before the code goes to the compiler? To check
security code (like OpenSSL) for the top five or ten holes?
Or best of all, I think we need better compilers. Better in the sense
that they will only compile secure code. And which can prevent coders
from doing bad things.
Coders are not gods, and it isn't illegal for a compiler to say "you
can't do that".
-- Peter Fairbrother
More information about the cryptography
mailing list