[Cryptography] Other obvious issues being ignored?

Ray Dillinger bear at sonic.net
Fri Oct 23 20:06:15 EDT 2015 


On 10/23/2015 02:55 PM, John-Mark Gurney wrote:

>> * Random number generators have a reasonable usecase for reading
>> uninitialized memory
> 
> You may be refering to the Debian rng bug here.  I'm not an expert on
> the Debian bug, but I don't believe that was the case.
> 
> Anyways, modern Unix systems do a very good job to ensure that there
> is NO entropy in uninitialized memory, so there should never be a need
> to read uninitialized memory for a CSPRNG...

The Debian RNG bug was a particularly screwed-up case that's been
oversimplified by virtually everybody I've seen write about it.

People go on about how stupid it was, and by implication how they'd
never ever have been so incredibly stupid, and... okay, it wasn't a
bright moment, but it was really not something that required truly
incomprehensible levels of stupidity.  It was understandable, and
in a careless moment a whole lot of the people who make fun of it
could have done it.

There was a routine that took a pointer at a buffer and mixed
the buffer's contents into the RNG state.

There were two calls to it in the same file:  One in a routine that
was the primary means of adding randomness read from physical sensors
and other "good" sources to the RNG state, and one in a routine that
was supposed to fill a buffer with RNG output.

The latter was just a way of opportunistically harvesting whatever
happened to be in the buffer prior to filling it with RNG output.
It was #ifndef Valgrind and marked with "// valgrind complains".
The former was a vital part of how the RNG got implemented and updated.
It had no #ifndef and no comment about valgrind.

Valgrind REALLY didn't like the one that harvested whatever was in
the buffer prior to filling it with RNG output.  It made nonsense to
programmers that a call to fill a buffer with RNG output would cause
valgrind to complain that the buffer hadn't been initialized first,
so they didn't do that, and whenever it got called with a
newly-allocated buffer (a very common usage pattern) it looked exactly
like the sort of thing Valgrind was supposed to warn about.

Completely harmless, and occasionally beneficial when programs
reused buffers - but it generated a storm of warnings and for
some logistical reason or other having to do with efforts
toward reproducible builds, they didn't reap the benefits of
the primary maintainers' "#ifndef valgrind".

Eventually the Debian crew became afraid that somewhere in the
storm of bogus warnings they might be missing a real bug.  They
talked about it, about the benefits or problems of opportunistically
harvesting entropy from uninitialized or reused buffers, on the Openssl
development list.  At this time, the Openssl development team had
silently abandoned that list, going elsewhere to have their
discussions in a lower-traffic, less stressful environment, so
they never heard about the discussion.

Eventually, without their feedback, input, or review, a Debian
maintainer went in there to delete the line that was generating
all the warnings.  But it turned out both lines were generating
warnings.

So he deleted them both.

They were both generating warnings because the Debian crew were
actually right that there was in fact a real bug buried somewhere
in the storm of warnings.  The routine containing the *IMPORTANT*
call was also being called from at least one place with an
uninitialized buffer, which hadn't been intended.  This was
a VERY minor bug given that all the other calls were correct,
but it was a real bug.

But instead of going, "ah-hah, there really was a bug there and now I
can find it", the maintainer went "ho-hum, I'm here to delete the call
that causes all the warnings, and there are still warnings, and
therefore I'm not finished until I delete this other call too."

And nobody noticed for two years.  Hello, code review?  The guy
I'm talking about did *NOT* make the only serious mistake here!

It was boneheaded, yes.  But it's not the kind of utter blunt stupidity
that people ridicule when they talk about it.  It's not something
that they themselves could never ever have done because they're not
complete idiots.  It was a moment of human weakness, of losing sight
of the forest because you're momentarily distracted by one tree. And
it's understandable why it happened.

And this is the sort of thing you find out when you research bugs
and how they came about.  The dumber something seems, the more
likely that there is an understandable reason why it happened.

And I think people need to understand how these things happen
if we're ever going to do any better, and that's why I'm doing
the 'Cybernetic Entomology' book.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151023/5d7d3ca7/attachment.sig>

More information about the cryptography mailing list