[Cryptography] GCC bug 30475 (was Re: bounded pointers in C)

Tue Apr 29 19:56:25 EDT 2014

On Sun, 27 Apr 2014 19:17 John Gilmore wrote:

> Telling the GCC developers that "that guy over there wrote code whose
> security checks get skipped because the language standard that GCC
> implements doesn't define the behavior of the way that guy wrote those
> checks" is not "a clear security issue brought to the [gcc]
> developer's attention”.

We don’t have to speculate about what the developers of GCC were told and how they reacted. It is documented in the GCC Bugzilla thread for 30475. 

> 
> Under this theory, the committee of 50+ people who contributed wording
> to the C Language Standard(s) are also liable for damage caused by
> every security bug that resulted from people depending on behavior
> that the standard did not define.  In this theory of liability, theirs
> would be an error of omission (they did not define the behavior of
> integer arithmetic in C with big numbers, therefore they are liable
> because some idiot ten years later wrote security sensitive code that
> used big numbers?).

The C standards committee, as far as I know, only said that signed integer overflow was undefined. They never required that code which could create such an overflow, and any code dependent on such an operation, be removed. Saying an operation is undefined is not a license to replace it with any evil code the compiler developers wish. Do you think it would be alright to replace such code with a RDrand instruction and abort the program if the random value was 17 modulo 100,000? or have all such code crash at noon on April 1 next year? or call a routine that searches memory for private keys and sends them to some url? 

It is every bit as irresponsible to silently remove safety checks placed in software by programmers who may not have understood all the implications of “undefined” or did not fully grasp the arcane techniques needed to write “legal” safety checks. (Other postings in this thread show just how difficult that is and how even very competent programmers can fail the test.)  

In no context is it acceptable to knowingly remove or defeat someone else’s safety mechanisms without permission, much less without warning. The fact that the work was performed for free does not alter that. If you open a free food kitchen to feed the poor, your local health department will still insist on your following safe food preparation guidelines. If you give kids from the homeless shelter a free ride on your yacht, you better have enough life preservers. If you decide to provide free WiFi in a housing project, you can’t remove the smoke detectors and use their wiring to hook up your access points.

> Basically, nobody's forcing you to use this software (or this
> implementation language).  You got it for free, probably without
> having *any* direct interaction with the developers.  In effect, you
> copied it from a library, like xeroxing a public domain book, or
> building a personal copy of a gadget by getting the drawings from the
> patent office.  If you don't like it, don't use it. Oh, hypothetical
> lawsuit filer, you're claiming that *someone else* somewhere on the
> Internet used it and you were injured thereby?  And you don't even
> have a contract with that someone else (e.g. Google, Facebook), nor
> any economic relationship with them?  Your claim is even more tenuous.

Books and patent documents don’t remove safety checks by themselves. Nor is it an excuse to say no one has to use C. Billions of people now rely on software written in that language. They have no say or knowledge as to which language the software was written in, what compiler was used or what optimization options were enabled. And yes, there are situations were software bugs can kill or cause great injury. Product liability lawsuits regularly target the supplier of defective tools alleged to have contributed to the injury, especially if they were previously warned of the problem and ignored it. 

And what is the benefit that supposedly justifies the removal of these safety checks? A speed improvement of a couple of nanoseconds per check removed?  

Arnold Reinhold