[Cryptography] The GOTO Squirrel! [was GOTO Considered Harmful]
andrew.righter at gmail.com
Fri Feb 28 21:19:04 EST 2014
I asked this on Twitter but perhaps this is now relevant here:
Are there unit testing framworks for crypto libs? I suppose they would do as Peter suggested below in depth running along side assertions and check equalities.
> On Feb 28, 2014, at 8:33 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> "Dennis E. Hamilton" <dennis.hamilton at acm.org> writes:
>> It is not about the code. It is not about the code. It is not about goto.
>> It is not about coming up with ways to avoid introducing this particular
>> defect by writing the code differently.
>> I say this is all about the engineering and delivery process that allowed
>> this gaff to be introduced into production code for a security-important
>> procedure and allowed to remain there until someone noticed externally. The
>> coding style could have been perfect, with the code still not establishing
>> security correctly and it would have been put into the live release, all else
>> being equal.
> I was just about to say the same thing. Even if you rewrote the entire think
> in Haskell (the newspeak of programming languages in which it's impossible to
> write incorrect code), you can still produce something where some crypto
> check is missed. This isn't an issue of coding style, it's one of software
> engineering practice (or lack thereof).
>> There are innumerable ways the particular defect could have been detected and
>> remedied well before the code was committed to the code base. A walkthrough
>> would likely catch it, assuming a skilled human other than the original
>> programmer simply read through it. I bet explaining it on a walkthrough
>> would have led the originator to notice it.
> This could be, and should have been, caught with automated testing. The
> problem is that most (all?) testing of this type of code is along the lines of
> "do the things that should happen, happen?", with very little testing of "do
> the things that shouldn't happen, not happen?". What happens if a bit in the
> SSL handshake is flipped? What if a bit in the payload data is flipped? What
> if the server presents cert A and signs with cert B? What if a bit in the
> signed DH parameters is flipped? What if the hash has a valid signature but
> it's the wrong hash for the data? (Those are all self-checks that my code
> performs, if there's anything else obvious that I've missed I'd love to hear
> about it so I can add checks for that too). These are trivial, automated
> checks that you can run before you ship, and several of them would have caught
> Apple's bug (the signature wasn't checked at all, so wrong-key, DH-parameter-
> manipulation, and valid-sig-on-wrong hash would all have caught the problem).
>  Some advocates of Haskell actually seem to believe this, which always
> provides for much entertainment during discussions.
> The cryptography mailing list
> cryptography at metzdowd.com
More information about the cryptography