[Cryptography] Heartbleed and fundamental crypto programming practices

Phillip Hallam-Baker hallam at gmail.com
Fri Apr 25 08:34:55 EDT 2014 

On Thu, Apr 17, 2014 at 5:29 PM, Judson Lester <nyarly at gmail.com> wrote:
> On Thu, Apr 17, 2014 at 9:52 AM, John Kemp <john at jkemp.net> wrote:
>> These sorts of things have been suggested for a while:
>> http://langsec.org/insecurity-theory-28c3.pdf
>>
>> Write a parser for the input language (protocol) accepted by your program.
>> That parser should have a preferably regular or deterministic context-free
>> grammar.
>>
>> "Stay away from the halting problem".
>>
>> - johnk
>>
>
> I have to say, I'm really taking by the langsec formal approach to
> input recognition. But regarding TLS in particular, I'm unclear on
> their specifics. My understanding is that TLS mandates DER for ASN.1,
> which is unambiguous. Further it seems to me that DER is isomorphic
> with CER, which should be context-free, right? (This is leaving aside
> the issue of x.509 CNs)

I have always considered it rather odd that

1) ASN.1 BER has an inherently unsafe, difficult to implement encoding option

2) X.509v3 requires use of the unsafe option

3) ASN.1 is 1.NSA backwards


What I mean by unsafe is the following, X.509 DER requires the use of
definite length encodings so that if I have a sequence nested inside a
sequence the bytes on the wire will be something like:


<tag1> <Length1> <value1>

where <value1> = <tag2> <Length2> <value2>

result: <tag1> <Length1> <tag2> <Length2> <value2>


Which all looks very sensible until we start on the fact that the
length encodings in Assanine One are themselves variable length, so
you can't calculate the <length1> without having first finalized
<value2>. It is not possible to emit ASN.1 using a simple recursive
descent scheme unless you construct the output values in reverse, from
the last item to the first.


There is also a subtle opportunity here for an interesting type of
bug, just like the heartbleed bug:

What if Length2 is given as greater than the length of value2?

Unless the decoding logic is just right, the decoder can end up with a
buffer overrun. And getting the logic right requires a lot of
discipline. A lot of decoders will blindly accept the input as valid
and the world is lost...

-- 
Website: http://hallambaker.com/

More information about the cryptography mailing list