How To Prevent the Next Heartbleed

dwheeler (321049) writes "Heartbleed was bad vulnerability in OpenSSL. My article How to Prevent the next Heartbleed explains why so many tools missed it... and what could be done to prevent the next one. Are there other ways to detect these vulnerabilities ahead-of-time? What did I miss?"

Static analysis

It could have been discovered with static analysis if anyone had the foresight to implement a specific check ahead of time (although it's unknown whether anyone could have thought of checking this specific case before Heartbleed was discovered):

http://blog.trailofbits.com/2014/04/27/using-static-analysis-and-clang-to-find-heartbleed/

Re:Static analysis

[Krishnoid]

Coverity has a blog post describing the problem and why their static analysis methods currently can't detect it.

Re:Static analysis

[arth1]

OpenSSL was static analyzed with Coverity. However, Coverity did not discover this, as is a parametric bug, which depends on variable content.

The reaction from Coverity was to issue a patch to find this kind of problem, but in my opinion, the "fix" throws the baby out with the bath water. The fix causes all byte swaps to mark the content as tainted. Which surely would have detected this bug, but it also leads to an enormous amount of false positives for development where swabs are common, like cross- or multi-platform development.
And while it finds "defects" this way, it's not the real problem it finds.
So in my opinion, 0 out of 10 points to Coverity for this knee-jerk reaction.

In my opinion, what's wrong here is someone with a high level language background submitting patches in a lower level language than what he's used to. The problems that can cause are never going to be 100% (or even 50%) caught by static analysis. Lower level languages does give you enough rope to hang yourself with. It's the nature of the beast. In return, you have more control over the details of what you do. That you're allowed to do something stupid also means you are allowed to do something brilliant.
But it requires far more discipline - you cannot make assumptions, but have to actually understand what is done to variables at a low level.
Unit tests and fuzzing helps. But even that is no substitute for thinking low level when using a low level language.

Re:Static analysis

[Z00L00K]

There are also other statical analysis tools like splint. The catch is that it produces a large volume of data which is tedious to sift through, but once done you will have found the majority of the bugs in your code.

However the root cause is that the language itself permits illegal and bad constructs. It's of course a performance trade-off, but by coding part of the code in a high level language and leave the performance critical parts to a low level may lower the exposure and force focus on the problems to a certain limited area.

A secondary cause is that if you write code - write it as clean as possible and broken down into pieces. If coding C there's always the option of declaring a function as "static inline" to tell the compiler that what you do is going to get right into the execution flow because you know that it will improve performance.

Dynamic analysis is also good - like Valgrind, but they have shortcomings. Just be aware that fuzzing can confuse dynamic analysis tools as well producing inconsistent results, which means that for the initial tests you need to be able to turn off fuzzing to get rid of the consistent problems.

Re:Static analysis

However the root cause is that the language itself permits illegal and bad constructs. It's of course a performance trade-off, but by coding part of the code in a high level language and leave the performance critical parts to a low level may lower the exposure and force focus on the problems to a certain limited area.

I have two points. Modern processors tend to be unsafe, though some features have been grudgingly, like adding non execute flags for stacks. So at some point, you're going to transition from your nice safe higher level language to unsafe binary code. Also you can write a security hole in any language. Can you think of any way to prevent cache timing attacks in JavaScript? Didn't think so. You can in C.

Second point, in safety critical industries there is a rule, you need to have at least two, sometimes three things 'go wrong' before someone dies. In the case of heart bleed the maintainers intentionally disabled the bounds checking in fucking malloc(3) that is designed specifically to prevent this shit. That is the root cause of heart bleed. It's like the maintenance guy 'fixing' a breaker that 'always blows' but installing a bigger one, then blaming the tard that plugged a heater, coffee pot and a hair drier into the same circuit for the building catching fire. And unlike the buffer 'over read' the maintainers knew their bastard version of malloc was unsafe.

Re: Static analysis

Covertly has no blame here considering the OpenSSL guys used exploit counter-counter-measures in their library. Even full retards don't implement their own memory allocator.

Re:Static analysis

[gbjbaanb]

Like I fixed my fusebox that always blew by putting a nail in across the contacts. It never blows a fuse anymore.

(disclaimer: I didn't really. don't do this)

When it comes to highbrow bugs like this, everyone jump sup and down and demands to know what you're doing to stop the next one - ie stopping this bug from ever occurring again. What they really need to worry about is the next unknown bug that we will find. they are out there, we will find it in production one day, it will bite us, and no I don;t think there is anything we can practically do about it. When someone finds that bug, its too late.

A good analogy is that idiot who put explosives in his shoe. So now, rather than try to find explosive underpants or explosive baggage, we all have to take our shoes off at the airport, in case someone is stupid enough to try it again. The overflow bug here will be fixed, what we will see is a different bug. And we can all go crazy about the details all over again.

Re:Static analysis

Some people refactored portions of OpenSSL to make it less spaghetti codeish and static analysis found HeartBleed. The issue was because of bad coding practice hiding the bug from static analysis.

Re: Static analysis

[arth1]

Even full retards don't implement their own memory allocator.

You just called kernel and base library developers full retards. Which goes to show that a little knowledge is dangerous.

When you write low-level code, yes, you often do. You may have to both be frugal with both memory and cycles. Or you may require guarantees that an allocation request will succeed no matter what. Or you may need to take alignment and endianness into account. On NUMA systems, you may try to ensure that memory is assigned from a bank reachable by another CPU without copying/invalidating because it's too expensive. You may need fast memory for one thing, but can use slow memory for another.
There are lots of scenarios where you want to handle memory yourself, all of them low level. If you're a high level programmer, stay away from code that does this, because chances are you're going to mess it up. But don't say it shouldn't be done, or else you would not even have an OS to not do it on.

In the case of OpenSSL, it is mostly low-level programming, originally designed for CPUs and memory orders of magnitude slower than what you have in your PC or mobile phone. Cycle shaving was a must.
And many of these systems still exist today. There are embedded devices that run quite old and slow CPUs with very little memory that require both SSL and a lifespan measured in decades, not months.

Re:Static analysis

[dgatwood]

The reaction from Coverity was to issue a patch to find this kind of problem, but in my opinion, the "fix" throws the baby out with the bath water. The fix causes all byte swaps to mark the content as tainted. Which surely would have detected this bug, but it also leads to an enormous amount of false positives for development where swabs are common, like cross- or multi-platform development.

Yes, that solution is complete and utter crap. Claiming that marking all byte swaps as tainted will help you find this problem is like saying that arresting everyone in the entire greater Los Angeles area will reduce California's murder rate. While technically true, the vast majority of things it will consider tainted won't actually be.

POSIX networking code does byte-swapping all over the place, and almost none of those values come from user-provided data except possibly the port number (which, if tainted, would never realistically be a concern, because the legal range of the value is equal to the legal range of the integer that contains it). Half the time, you're calling htonl on a constant like INADDR_ANY. Presumably a static analyzer would ignore those, but is it any less wrong to treat as tainted the numerical IP address result of a hostname lookup?

Also, OpenSSL is rather unusual as software goes, in that it works with binary file formats. If you ignore crypto code, I'd guess that probably 95% of all user data is in a text format like XML. I can think of only one piece of software I've ever written that required byte-swapping binary, and that involved writing a tool that converted an unsupported file format into a better supported (but still archaic) file format that could then be translated into an XML format by existing tools. And even in the rare instances where I've done byte swapping on user data, I almost alwaysdo so right after reading it from disk anyway, which means that tainting the byte swapping operation misses the mark by only a few lines of code from an instruction like fopen or mmap that rightfully should cause tainting. If you don't do so, odds are, the tainted data will get used long before it reaches a byte swap operation, if it ever does. It is just as dangerous to trust an integer parsed using atoi from text that at one point was read from a file, or unserialized from a property list, or... what matters is that the data came from a file, and that it was passed to a function that returns a value derived from the data. For built-in library functions, those should be well known. For code you write, you can use static analysis to determine whether that is the case.

IMO, the only correct sane, non-silly approach to tainting is to recognize all the function calls that read data from disk, from a network socket, from the keyboard, from a UI binding, and so on, and then follow the data out from there, marking variables as tainted when you do. If there are by-reference parameters (explicitly or through pointers whose underlying objects can be modified), work your way back up to every possible caller until you the tainted data can no longer exist higher up the tree. Then work your way down the tree beginning right after each of those function calls, and working your way into every other function that those functions call, marking as tainted every variable that the data could end up in. Anything short of that just doesn't make sense. If that means the static analysis takes ten minutes instead of ten seconds, so be it. After the first run, it should be possible to incrementally update the static analysis results to remove warnings about things that have been fixed, so any performance hit ought to be a one-time penalty.

Re: Static analysis

> You just called kernel and base library developers full retards.
No "their own" implies that you're choosing to implement even though there are alternatives and teams specialising in that.
But if you're going to implement a custom allocator for every fucking individual library you're a retard.

Re:How about

[zr]

about as effective as sunshine and puppies.

Re:How about

If someone is a moron, they can't help but be stupid.

Aw, come on.

[cephalien]

Did anyone edit this? 'was bad vulnerability'?

Jeebus. Have some integrity.

Re:Aw, come on.

Are yew knew hear? Slashdot does knot halve any sew called (editors)

Re:Aw, come on.

I'm pretty sure they intended "waz bad 'nerbility". But Lolcat is a dying language, so you must applaud even poor attempts.

Re:Aw, come on.

[cephalien]

My ID is hardly 'new', but this place has surely gone downhill. :(

Re:Aw, come on.

[jones_supa]

I think that sometimes too, but when I actually go back and browse the old articles, it's mostly the same stuff.

How about psychics?

Or remote viewing? Or, more scientific, maybe put a bounty on big bugs that we'll pay time travelers from the future to tell us about?

In the US: force the NSA to disclose them

If you want to find the next one and are in the US, force your broken government to disclose the ones they're already using on civilian targets (both in the US and abroad).

Re:In the US: force the NSA to disclose them

Good luck with that. You sound like a liberal heart-bleeder.

Re:In the US: force the NSA to disclose them

Exactly. The Republicans that create these bugs will never allow them to be disclosed by the government. There's a reason Republicans still push so hard for C and only C to be used for projects.

Re:In the US: force the NSA to disclose them

[ComputersKai]

First of all, what do Republicans have to do with C, the language UNIX was originally written in, and next, the problem was that the NSA would have thrown up some half-baked excuse in doublespeak about how they wouldn't be able to gather "intelligence" properly. That being said, the NSA has made several good contributions to computer security, but it still probably isn't that much of a good idea to trust the agency doing crypto-breaking with overseeing security standards.

need to get over the "cult of macho programming"

Every industry goes through this. At one point it was aviation, and the "hot shot pilot" was the Real Deal. But then they figured out that even the Hottest Shot pilots are human and sometimes forget something critical and people die, so now, pilots use checklists all the time for safety. No matter how awesome they might be, they can have a bad day, etc. And this is also why we have two pilots in commercial aviation, to cross check each other.

In programming something as critical as SSL it's long past time for "macho programming culture" to die. First off, it needs many eyes checking. Second, there needs to be an emphasis on using languages that are not susceptible to buffer overrunning. This isn't 1975 any more. No matter how macho the programmer thinks s/he is, s/he is only human and WILL make mistakes like this. We need better tools and technologies to move the industry forward.

Last, in other engineering professions there is licensing and engineers are held accountable for mistakes they make. Maybe we don't need that for some $2 phone app, but for critical infrastructure it is also past time, and programmers need to start being held accountable for the quality of their work.

It's things the "brogrammer" culture will complain BITTERLY about, their precious playground being held to professional standards. But it's the only way forward. It isn't the wild west any more. The world depends on technology and we need to improve the quality and the processes behind it.

Yes, I'm prepared to be modded down by those cowboy programmers who don't want to be accountable for the results of their poor techniques... But that is exactly the way of thinking that our industry needs to shed.

Re:How about

[gnupun]

Don't use C and its variants like C++. C is an extremely unsafe, low-level language that is just one step above assembly language. This makes it great for low-level, performance sensitive programs like OSes, compilers, etc. but the low-levelness also increases bug count for general purpose applications.

Instead use safer languages like Pascal, Eiffel (design by contract), Ada, etc. These languages guard against buffer overflows and don't have the slowness and bloat associated with garbage collected languages like Java and .NET, but are much safer than C. The problem usually is, few people know these languages and they are not portable from one platform to another.

Not really

[NapalmV]

Let's remember the good old bug that plagued (and probably still does) many libraries that read graphic files such as TIFF. The classic scenario was that the programmer was reading the expected image size from the TIFF file header, allocated memory for this size, then read the reminder of the file into said buffer, until end of file. Instead of reading as many bytes as he has allocated. Now for a correct file this would work, however if the file is maliciously crafted to indicate one size in the header while having a much larger real size, you would do a classic buffer overrun. This is pretty much similar to what the SSL programmer did. And no tools were ever able to predict this type of errors, whether TIFF or SSL.

BTW the last famous one with TIFF files was pretty recent:
http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117

Re:Not really

[MoonlessNights]

This is EXACTLY the way to look at this!

Relying on static analysis to solve parameter validation bugs is asking technology to solve a human problem, akin to asking the computer "do what I want, not what I said".

Static analysis and defensive programming techniques are good ideas but there is always a chance for something to go wrong.

Re:Not really

[perpenso]

Fuzzing may catch an erroneously stated buffer size type bug.

An automated tool that was probing the binary on a live system is was what discovered heartbleed.

Re:Not really

Actually in this particular case I imagine a static analyzer could find
size_t file_size = readInt(someFile);
char * buffer = malloc(file_size);
readEntireFile(someFile, buffer);

quite easily.

Re:Not really

[Kjella]

Considering how many times you need to do this (read the length of a block of data, then the data) it's strange that we haven't implemented a standard variable length encoding like with UTF-8. Example:

00000000 - 01111111: (7/8 effective bits)
10000000 00000000- 10111111 11111111: (14/16 effective bits)
11000000 2x00000000 - 110111111 2x11111111: (21/24 effective bits)
11100000 3x00000000 - 11101111 3x11111111 (28/32 effective bits)
11110000 4x00000000 - 11110111 4x11111111 (35/40 effective bits)
11111000 5x00000000 - 11111011 5x11111111 (42/48 effective bits)
11111100 6x00000000 - 11111101 6x11111111 (49/56 effective bits)
11111110 7x00000000 - 11111110 7x11111111 (56/64 effective bits)
11111111 00000000 + data - 11111111 01111111 + data indicates array 0-127 characters long
11111111 10000000 00000000 + data - 11111111 10111111 11111111 + data indicates array 0-16383 characters long
11111111 11000000 00000000 00000000 + data - 11111111 11011111 11111111 11111111 + data indicates array 0-(2^21-1) characters long
11111111 11100000 00000000 00000000 00000000 + data - 11111111 11101111 11111111 11111111 11111111 + data indicates array 0-(2^28-1) characters long
... and so on until
11111111 11111111 8x00000000 + data - 11111111 11111111 8x11111111 + data indicates array 0-(2^64-1) characters long.

It should be rather easy to implement the encoding/decoding function like "readByteArrayFromFile" just ONCE so that the array and size of array you get is identical or the function will fail. You peek at it, allocate X bytes, copy X bytes and if there's not X bytes to read return NULL.

Re:Not really

[xeio87]

And no tools were ever able to predict this type of errors, whether TIFF or SSL.

Well, there are, they're called Java, or C#, or Python. But as long as developers insist on using the C family of memory unsafe languages...

Re:Not really

Memory is only one resource. You won't solve a problem by replacing it with a larger set of slow languages that have indeterminstic properties in general, suffer from sloppy coding practices, lock like a bastard and have massive attack surfaces of their own due to the kitchen sink approach.

Re:Not really

[david_thornley]

Man, if they'd only written it in modern C++. The C++ standard library is perfectly capable of reading in an entire file and making sure the memory is allocated for it, with no extra work on the part of the programmer.

Re:How about

Instead use safer languages like Pascal, Eiffel (design by contract), Ada, etc.

Yes, I agree. And as mentioned in the article, Rust is a good choice here too, or will be once it gets to version 1.0. I think the plan is for Rust to get version 1.0 this year.

engineering professions have power over PHB's

[Joe_Dragon]

issues

like lack of QA / testing

deadline that lead to cut corners.

having sales people over promise and more.

can be put on the PHB and without some kind professions there is licensing system they can say you can do it or we can find an H1b who can (at least on paper)

Re:engineering professions have power over PHB's

[gnasher719]

like lack of QA / testing

This was not a bug that would have been found in testing. It doesn't _attack_ the software. The software was totally unaffected. You could have a very specific test.for this problem, but if you thought of that test, you might as well have looked at the code and immediately spotted the problem.

Re:engineering professions have power over PHB's

Wrong. It is often enough to separate developers from testere organizationally and do proper protocol check and this fault would hve been found. Whether it would be fixed is another matter. I have found many vulnerabilities in software I test only for the ticket to be ignored by design. I do not discuss anymore beyond basic check if they read ticket at all now. It is waste of time. Stil the possibility that it were found is there and none zero probabilit that fault is fixed is there too.

Re:need to get over the "cult of macho programming

[MoonlessNights]

The problem has more to do with the "hey, this is free so lets just take it" attitude of the downstream consumers not willing to pay for anyone to look at the code or pay anyone to write it.

Why would you want the OpenSSL people to be held accountable for something they basically just wrote on their own time since nobody else bothered?

Striking out to solve a problem should NOT be punished (that culture of legal punishment for being useful is part of why knowledge industries are leaving North America).

This problem was caused by a simple missed parameter check, nothing more. Stop acting like the cultural problem is with the developers when it is with the leaches who consumer their work.

Re:How about

Yeah, we'll just rewrite the Internet in Pascal.

Libraries like OpenSSL are built in C in no small part because C can easily be linked into just about any other language out there. Nothing is going to change that.

And idiots can write bad code in any language. It might not be a buffer overflow, but they could still have screwed up in many other ways.

Re:How about

Or you just learn how to code properly. This particular vulnerability wasn't because there was a mistake, it was because they opted to bypass a function that was meant to keep people safe. It's a bit like bolting the fire escapes closed then wondering why everybody died after the fire.

It's astonishing to me that somebody would put code into a production environment that asked for a certain length of response without bothering to do any validation.

Re:need to get over the "cult of macho programming

The only problem with doing this is you'd have to convince congress to actually punish companies that don't hold up to professional standards when applications get broken into for simple stuff. As is with our government, the Brooklyn bridge could cave into the bay killing 10,000+ people, and everyone would point to each other and it'd be the "system" that would be broken warranting new wonderful scummy laws that funnel billions out of your and my pockets into some ass hat politicians back pocket.

Re:need to get over the "cult of macho programming

"Yes, I'm prepared to be modded down"

as you wish! wtf is with these insecure posts?

i'll burn karma (lots of karma given) posting this. hey, aww you guys!

i'll be modded down for this

posts don't need this useless ego driven filler.

Easy

[kamapuaa]

What did I miss?

An article before the word "bad."

Re:How about

[Jeremi]

Instead use safer languages like Pascal, Eiffel (design by contract), Ada, etc. [...] The problem usually is, few people know these languages and they are not portable from one platform to another.

Agreed regarding both the solution and the problem with the solution.

It's probably reasonable to use [insert-super-secure-machine-verifiable-language-here] to develop libraries that are as security-critical as OpenSSL. However, it's unlikely that such libraries will be widely used if they aren't easily callable from the more popular languages (C/C++/ObjectiveC/etc).

Given that, I wonder how difficult it would be to write a library in (e.g.) Ada, but have the Ada compiler compile the code in such a way that the outputs is a C library file and C header files for the library's public API? That could give us a way to have our cake and eat it, too.

Re:How about

[gnupun]

Or you just learn how to code properly.

If that really worked, there would be no QA dept. for software. Unless you can formally prove your software is correct, you should assume there are bugs. And no one has the time, money or ability to formally prove hundreds of millions of lines of code.

It's astonishing to me that somebody would put code into a production environment that asked for a certain length of response without bothering to do any validation.

And even more astonishing the head maintainer and merger did not review this change and ask the developer to fix it.

Re:need to get over the "cult of macho programming

This was not a "hangman" game, this was a critical security package. If you can't be bothered to check parameters you shouldn't be working on security projects.

Re: How about

Eiffel compiles to C. Pascal can compile to C (I think k that Linux Pascal 'compiler' is just a translator to C and gcc)

Re:need to get over the "cult of macho programming

No. I will agree, however, that any software that is to be used in critical operations by an organization should be verified by that organisation. If the organisation are responsible for maintaining and operating a system that integrates with others outside their control the method and criteria for validation should be public.

There is no need to certify programmers for this. It is the USE of an implementation that should be validated not the CREATION of that which is implemented.

Pilots verify that their tools and equipment function as advertised and show values within tolerance levels. They do not verify that the engineers who built the plane where certified.

Re:How about

[gnupun]

I'm not sure you can auto-generate a C header file but you can create a library (.dll or .o) file from Ada source and call it from C. You have to hand generate the C header file.

Create DLL library in Ada

I'm so tired of this...

[arfonrg]

I want to punch everyone in the head who is using Heartbleed as an example of why NOT to use open source. It actually proves that open source development works well. Once the bug was found, the fix was released very quickly. I can guarantee you that if this was a closed source commercial product, the bug would exist a long time and the bug's existence would have been denied for a long time.

If anyone thinks this is an example of open source failure, they are idiots.

Re:I'm so tired of this...

[jones_supa]

The Heartbleed vulnerability existed for a long time, then it was fixed quickly when finally discovered.

The recent Internet Explorer vulnerability existed for a long time, then it was fixed quickly when finally discovered.

Re:I'm so tired of this...

Yeah, you don't want to go there. There is case after case where M$ knew bugs existed and they hid/ignored them, then took a long time to fix them.

Re:How about

Yeah, we'll just rewrite the Internet in Pascal.

It can be done, regardless of naysayers like you. GNU rewrote Unix, the Internet can be rewritten too. Better get started.

Re:How about

It is a process problem, and your solution is to ban the use of screws, replacing:
1 "make a critical library written defensively and correctly, removing any cruft, and adhering to good processes"
with
2 "build an entire cross-platform compiler/runtime with no flaws that does that for you"

Re:need to get over the "cult of macho programming

[blue+trane]

It was reverse psychology.

Re:need to get over the "cult of macho programming

[jhol13]

You forgot NIH. OpenSSL used its own allocator, the most positive thing I can say about that is "totally idiotic". AFAIK nobody is removing it ...

Furthermore, C is insufficient language for a security software (C++ when properly used barely acceptable, managed languages much better).

Re:How about

[Kazoo+the+Clown]

Yes, I think it's clear the next gen of CPUs really needs to have the machine language removed entirely. What a security hole!

Re:need to get over the "cult of macho programming

You don't know what you're talking about. Do you have any idea how much money was invested in OpenSSL last year? $2k. That's not a typo, they received two hundred dollars. If the volunteers responsible for openSSL, a world-class product, were held accountable for bugs they would have no choice but to ditch the project. You want accountability, you pay for it. No, $2k won't cut it.

Get down your high horse, they're not your slaves. People work for free and you think you can tell them how they're supposed to do it. Either do better or shut up and let others work in peace. The OpenBSD guys have the right attitude. They saw OpenSSL sucked and got their hands dirty to fix it. What have you done to address the problem?

Re:need to get over the "cult of macho programming

[Alomex]

Second, there needs to be an emphasis on using languages that are not susceptible to buffer overrunning. This isn't 1975 any more.

This. It is high time that by default C compilers did buffer overrun check. Maybe deep inside some kernel routine we cannot afford the 0.5nanosecond it takes to check the buffer size, and we can always have a pragma that disables the checking for that piece of code. All other usages should be subject to buffer overrun check.

Re: Republicans

[Fwipp]

I have no idea why you're maintaining that "Republicans" create these bugs, and I'm, like, a socialist.

Re:need to get over the "cult of macho programming

Do you think any brogrammers work on SSL? Do you think they're actively warding off peer review? In short: do you have evidence that the engineering culture behind openSSL caused the failure, rather than the obvious complete lack of revenue, funding and active contributors?

And if so, does this same culture simultanesously affect gnuTLS, LibreSSL, and Apple?

Multiple implementations.

As with any population, _variation_ is the best defence against attack and disease. The best defence against the next heartbleed? Have more than one implementation.

Re:Multiple implementations.

[gnupun]

This is a great idea. It also makes testing using Fuzzing methods easy.

1. Generate random test parameters
2. Feed parameters to variant program A and get results.
3. Feed parameters to variant program B and get results.
4. Both results should match.

Re:Multiple implementations.

You MeAn liKe mIXInG CaSE iN FuNctiOn NamEs PreVEntS Java FaiLurEs?

Dude, sometimes variation just causes bugs and makes them harder to trace. (Was that function FirstLastInMyBuffer, or FirstLastinMyBuffer? And what if both exist?)

No, the *specific* bug in OpenSSL wsa triggered by a bad function modification to allow *portability* to a frankly ridiculous operating system that should have been allowed to die like the passenger pigeon, namely OpenVMS, exactly the kind of "variation" you are so busy promoting. Excess variations of environment make testing and code review far *more* difficult.

Core system functions, such as string handling and critical functions, need to be kept lightweight, simple, and with well defined API's. The HeartBleed function was not. It got mishandled because it didn't *have* a well-defined API. It was permitted to make arbitrary size string requests, rather than a well defined, pre-set value that could be safely implemented. What crack monkey said "allow arbitrary requests" for HearBleed when writing that feature into OpenSSL? *Every time* you make responses of arbitrary size, you are making the underlying architecture unnecessarily more complex, and you get what you deserve for designing it on a napkin at lunch rather than *thinking* about what the heck you are doing. That's a flaw in the spec, itself.

Note that the reason this is so likely to lead to mishandling is not that "C doesn't do malloc's well". It's that people allocate memory without *thinking* about the cost of doing so. Java and other top down programming languages *do not teach this kind of thinking*, and the result is profound feature and resource bloat. So SSL libraries will never be written in a top-down, objected oriented language except as a proof of concept. It's not even possible to optimize enough there to run the critical, high speed, low level, bare metal bandwidth limited functions that are needed for hardware or software live encryption.

Re:Multiple implementations.

That helps, but if all implementors use the same testing strategies then that doesn't help against the total defect population; they'll still pop up regularly. Different defects in different implementations (you hope), but plenty for all that. The idea is well-known, but defends against "monoculture". It doesn't defend against sloppy programming.

The more important point is something hammered home in every crypto 101 course: Don't just test for function, test for dysfunction too. Moreso, in fact. And it's not even that difficult. You don't have to try all possible inputs. But you have to test all code paths. And you do control those, don't you? So you make sure the error paths are short ones* and have at least one test case to deliberately trigger each. Since you supposedly know what sort of input you expect and what sort of input you don't expect, you know all the corner cases. Don't just test for the positive ones, test for all of them.

Input parsing is hard if you don't understand this. It's merely tricky if you do, but by then you've learned to cook up input test suites, reference protocol talkers, and fuzzers, to hammer the parsing parts until they accept all incoming data and produce exactly either valid parsed protocol messages or error signalling for the program to process.

This is still a weak guard. You should have a similar construct for your production protocol generator, one that knows about the framing if not the message meaning, and that can only generate valid (if perhaps nonsensical, but harmless) protocol messages. This is your egress filtering to above ingress filtering.

And on top of that you must make sure that, say, an input value asking for $this_many input bytes to be returned is bounded by the number actually present, which is exactly what didn't happen in heartbleed. A simple min(bytes_there,bytes_wanted) would have done it. Such incoming values are untrusted and therefore need checking first, and you do know what the bounds are.

A trick that helps here is to clearly separate the responsibilities. The handler only gets input from the input parser in a fixed, parsed format, it can only manipulate the message through the given interfaces, and it can only output through given output interfaces. This means all the pointer manipulating gets hidden in (if nicely short, inline) functions with presumably descriptive names, and it presumably becomes a lot clearer what is going on, while (if you've done your homework) essentially the same and just as efficient code. Given that the openssl API is not especially well-written nor especially well-documented, to the point of being notoriously tricky to use correctly even if you know about the pitfalls... it's no surprise there's huge gaping holes in it like heartbleed.

"Assumption is the mother of all fuckups", so safe data handling is all about making assumptions explicit and making sure they hold**. Multiple implementations that all fail to safely handle data will all have interesting defects, if different ones. Even hiding complexity by sandboxing or fancy straightjacket languages doesn't help much (qv java vm breakouts, and it was supposed to be such a safe language). What you really need here is safe data handling, and for that you need to know what you're doing.

* This requires special handling for crypto applications to avoid giving away the secret, but isn't all that difficult to work with. Think about it.
** This is the power of encapsulation, a cornerstone of OO and possibly the most valuable of them all: The interface is code, not structures, and because the data inside the structure only gets manipulated by exactly that code, you know what happens with the data, you know what it looks like, you know which assumptions are valid inside that structure. You don't need to keep on checking, you definitely have done it once, at every possible entrance.

Re:Multiple implementations.

[EuclideanSilence]

This only works in a very limited number of situations. For example, two compilers can both produce "correct" code, but it's highly unlikely that they will produce the same code. There are no half assed techniques that can produce reliable code, and anything less than mathematical logic is half assed.

Re: How about

How can you write general purpose libraries in c#? It will only run on windows. Java runs on more things. But what about their interpreters what are they written in?

Re:How about

[socode]

> If that really worked, there would be no QA dept. for software.
No, that's just poor reasoning.

Quality must be built-in, not added-on. QA expectations and improvement scope are largely imposed on any QA department, therefore the level of 'quality' reached can never be an absolute bar.

Developers in general need to minimise the vector product of bug count/severity that could be exposed before it gets to QA. This allows the bar to be raised, and focus to be spent on where it should be rather than catching obvious mistakes, or dealing with unnecessary performance/cognitive/configuration complexity.

Re:How about

[ComputersKai]

Keep in mind that this is an Open Source project, and the developers don't have access to all of the resources that corporations tout around.

Re:need to get over the "cult of macho programming

[socode]

> programmers need to start being held accountable for the quality of their work.
They are.

But I guess you mean that people who aren't paying for your work, and companies which aren't paying for the processes and professional services necessary for some level of quality, should hold programmers who don't have any kind of engineering or financial relationship with them accountable.

Re:need to get over the "cult of macho programming

$2k. That's not a typo, they received two hundred dollars.

DOES NOT COMPUTE

Too much reliance upon testing tools

The blog posting spent 80+% of it's time focusing on automated testing tools. They are fine and all, but cannot make up for a lack of basic good design practices. Ones which were present in the Heartbleed episode.

What would really have helped prevent Heartbleed?

1). Initialize all allocated memory. Routinely and automatically. And stop complaining that it "takes too much time." That's an excuse;

2). For Heartbleed particularly, I fail to understand why the echo word didn't self-define it's own length. Why did the programmer require this as a separate parameter? I'm a programmer and this is a glaringly obvious location for logic holes. The strongest defence against the possibility of conflicting parameters is not better parameter checking code. The strongest defence is to redesign the parameters to eliminate the possibility of the conflicts in the first place. Parameter error check code is good; error avoidance is better. This is programming 101 here!

I realize that I'm asssuming certain things here. However that's the best information I have for the moment and that's my take away.

Re:Too much reliance upon testing tools

#1. Wouldn't have helped. As i understand it, the allocated memory was filled with the 'ping' data, the problem was reading past the allocated memory and sending happened to be in memory after it... combined with storing important data like encryption keys in any old random piece of allocated memory.

#2. I believe the spec requires length and content as separate fields. A retarded spec often leads to retarded code.

Re:Too much reliance upon testing tools

The retarded code and the retarded spec were written by the same person... part of why people wonder if it was an accident.

Re:Too much reliance upon testing tools

[dwheeler]

I'm really glad you're trying to think of alternatives. However, when you say: 1). Initialize all allocated memory. Routinely and automatically.... They did. But the Heartbleed bug let you see currently-active memory. In particular, you have to have the private key available somewhere so you can use it.

Some of the weirdness was due to the spec itself (RFC 6520). I agree that error avoidance is better than parameter-checking, but it's not clear that parameter-checking could have been avoided in this case. But that's certainly worth checking out.

Re:need to get over the "cult of macho programming

Clearly there weren't any programmers of that quality bothering to work on OpenSSL for free.

That's why many people use alternatives to OpenSSL.

Re:How about

[Dahamma]

I have personally ported OpenSSL to at least 6 embedded systems, one of which was so proprietary they wrote their own C/C++ compiler. Good luck finding an Ada compiler for that.

his makes it great for low-level, performance sensitive programs like OSes, compilers,

Aaand... performance sensitive like, say... crypto? There isn't much code more performance sensitive than crypto libraries, which is one of OpenSSL's main uses. In fact, there are a whole bunch of native assembler implementations for x86, MIPS, ARM, PPC, etc to achieve that low level performance. Clearly you have never actually looked at the OpenSSL code base...

Re:need to get over the "cult of macho programming

[phantomfive]

In programming something as critical as SSL it's long past time for "macho programming culture" to die.

Yeah, but it's kind of going the other way, with more and more companies going to continuous deployment. Facebook is just pit of bugs.

programmers need to start being held accountable for the quality of their work.

OK, I'm with you that quality needs to improve, but if I have a choice between working where I get punished for my bugs and where I don't; I'm working for a place where I don't get punished for my bugs. I test my code carefully but sometimes they slip through anyway.

Re: need to get over the "cult of macho programmin

Don't you mean if it not a hangman app don't get free code from the Internet?
That is not the answer or there would be no FOSS.
It is the issue of who works on the boring stuff.

Re:How about

[Artifakt]

The US Army will swear that I was once, many moons ago, officially certified in Ada, whether that means anything or not. I never liked it much, even though I did turn in successful code a few times, and I really have a problem with Ada for open source applications - Yes, in theory, Ada has some very strong security functions by design, but it's definitely not going to result in the 'many eyes make all bugs shallow' effect. I actually read your post as deliberately tongue in cheek at first, what with phrases such as 'extremely unsafe'.
        But as I think more about it, one of the problems revealed by Heartbleed is open sourcing the target code didn't result in a lot of properly trained eyes passing over that code. I never thought I'd encourage anyone to learn Ada after I got out of the service (just as I never thought I'd encourage anyone to start a cult worshipping many-tentacled, eldritch, blasphemous horrors from beyond space-time as we delusionally try to limit our conceptions of it to preserve our fundamental human sanity, and for much the same reasons), but I have to admit, you may have a damned good argument for Ada there.I don't know if the extensive compile time checking of Ada 2012 could have automatically caught the bug that made Heartbleed possible - the last version of Ada I've really used is 95, but I'd be really interested to hear from someone who's current if they think Ada is just about totally bulletproof against this sort of bug, because even the older versions I recall had some features that would have made it hard to make this sort of mistake.

Re:How about

GNU rewrote Unix

In C. Not Pascal.

Re:need to get over the "cult of macho programming

How do you propose that the compiler performs this check when it has no idea as to the size of the buffer?

The problem is with the language, not with any given implementation.

this paper is an epic fail

[iggymanz]

actually a couple more *bad* vulnerabilities were found in openssl, but the author of this paper didn't find them. arm waving ivory tower bullshit, that's how we got into this pickle in the first place

Re:this paper is an epic fail

I second that.
These university types are way out of touch with the realities and challenges of the software security field. But man, can they preach!

Re:need to get over the "cult of macho programming

all well and good.... and i agree to some extent, but you know what it was the gung ho ones that pioneered it and the wusses looking for a reliable paycheck that regulated the living hell out of it..... at which point innovation completely dies.

It's a good essay; some other thoughts.

- Simplify the code, and the protocol. LibreSSL's simplifying OpenSSL, but also, we didn't need heartbeats built into a crypto protocol in the first place.

- Lots of code needs more review. Other open-source frameworks and servers are in OpenSSL's same nasty spot of being widely used but not corporate-supported and well-vetted.

- Non-security code can cause critical security bugs, too; remember the zlib bug. We can give widely-used non-security libraries more fuzzing/review, and/or figure out ways to better contain software faults with finer-than-process-level precision.

- C(++) is certainly a playground full of buzzsaws, but we're also addicted to it; maybe augment w/things like bounds-checked array access where we can afford it and standardized formatting and linting to catch some bugs (if not this one).

- If we only consider bugs like Heartbleed, we're stuck fighting the last war. We should think about those CAs and providers we trust, or the way we rely on passwords, or how to change servers' default configs and libraries to make it more natural to deploy secure services than it is today.

Re:need to get over the "cult of macho programming

In programming something as critical as SSL it's long past time for "macho programming culture" to die. First off, it needs many eyes checking. Second, there needs to be an emphasis on using languages that are not susceptible to buffer overrunning. This isn't 1975 any more. No matter how macho the programmer thinks s/he is, s/he is only human and WILL make mistakes like this. We need better tools and technologies to move the industry forward.

Your post should be modded down, it is a repetitive theme...But that's not your fault, how many articles is /. going to post that are repetitive? Your comment was already posted once in a /. story and yet they keep posting echo articles from programmers/critics who somehow think their geniuses for pointing out the obvious problems with open source projects.

Wheres Linus Torvalds in all this? I was hoping to read or hear his thoughts over this, would be even better if he did video self-interviews .. The guy is brilliant and priceless!

Re:need to get over the "cult of macho programming

[MouseTheLuckyDog]

If you are worried about security don't use software written by people who can't be bothered to check parameters.

Did I hear anybody said "Gödel?"

[fluido]

One of the many eye-openers that reading Douglas Hofstadter's "Gödel, Escher, Bach" book has provided me, all those years ago, is that, no matter how much we humans may try, we may *never* be sure to have removed all errors or imperfections from anything that's even marginally worth of our interest. In a nutshell, if you can prove that something has reached perfection, at the same you prove that it is not interesting anymore.

We cannot write complex bug-free software. PERIOD. OpenSSL is not windows. Headlines about OpenSSL bugs are not such a common occurrence. One bug happened at the wrong time, wrong place. This could have happened even if the world had opted for a proprietary library for this critical role. The only difference is that there would have been somebody to sue. Big consolation.

New theories come out of IT faculties around the world at regular intervals, that promise, if strictly followed, the holy grail of bug-free software. All of them eventually prove non-effective.

The only concrete effect of all these tactics is that the job of the programmer becomes more tedious, less interesting. One thing I can tell you from direct experience is that, the lowest the level of interest of the programmer, the higher the possibility will be that bugs may slip into his or her code.

So, the question is wrong. We cannot prevent the next Heartbleed. What the world needs to (re)learn instead is how to cope with unexpected events without reaching for your phone and calling your lawyer.

Many thanks go to all free software contributors, including OpenSSL ones, for what they do!

Re:Did I hear anybody said "Gödel?"

[RR]

We cannot write complex bug-free software. PERIOD. OpenSSL is not windows. Headlines about OpenSSL bugs are not such a common occurrence. One bug happened at the wrong time, wrong place. This could have happened even if the world had opted for a proprietary library for this critical role. The only difference is that there would have been somebody to sue. Big consolation.

New theories come out of IT faculties around the world at regular intervals, that promise, if strictly followed, the holy grail of bug-free software. All of them eventually prove non-effective.

The only concrete effect of all these tactics is that the job of the programmer becomes more tedious, less interesting. One thing I can tell you from direct experience is that, the lowest the level of interest of the programmer, the higher the possibility will be that bugs may slip into his or her code.

Actually, it's possible to remove all errors and imperfections, if you would be satisfied with being boring. That's one thing I got from Douglas Crockford's Programming Style and Your Brain. Sometimes, especially for security-related software, "boring" is exactly what you want.

Unfortunately, SSL is anything but boring. It's barely standardized, and it's prone to getting new features. But just because the standard is exciting, doesn't mean the code has to be exciting. The OpenSSL developers may have received $2,000 in donations last year, but they make money by consulting on OpenSSL. They have a perverse incentive to keep OpenSSL confusing and buggy. The efforts for the LibreSSL project show just how needlessly exciting the OpenSSL code base is.

To prevent the next Heartbleed, it's more productive to donate to LibreSSL.

Re:Did I hear anybody said "Gödel?"

[fluido]

Actually, it's possible to remove all errors and imperfections, if you would be satisfied with being boring.

No. Software for which you can guarantee that no error exist is not only boring: it is useless.

To prevent the next Heartbleed, it's more productive to donate to LibreSSL.

You do not get my point. You may succeed in rendering it less probable. But you cannot prevent it.

Re:Did I hear anybody said "Gödel?"

[RR]

Actually, it's possible to remove all errors and imperfections, if you would be satisfied with being boring.

No. Software for which you can guarantee that no error exist is not only boring: it is useless.

To prevent the next Heartbleed, it's more productive to donate to LibreSSL.

You do not get my point. You may succeed in rendering it less probable. But you cannot prevent it.

I do get your point, and I disagree. Perhaps my point is not so clear, so I'll rephrase it: For a protocol as complicated as SSL, it's difficult to guarantee that a program is free of bugs, but it is possible to create a program free of exploits. With sufficient discipline in specific domains, it's also possible to create bug-free specifications. Computer programs are just math, and a lot of math can be proved. The key is to decompose programs into pieces that humans can reason about. That's what Crockford means by "error-resistant" programming.

I see that you're a Ruby programmer. It's difficult to create the Heartbleed vulnerability in Ruby. I guess you could do it if you did all your processing in a custom IO object "for performance reasons," like OpenSSL's custom malloc. That sort of silliness is all over the OpenSSL project, and that's what the LibreSSL project is eliminating. Now, the Ruby runtime itself is a complicated program and not bug-free, but every fix in the runtime eliminates a bunch of bugs in many Ruby programs.

Similarly, the OpenBSD project has a bunch of practices and programs to eliminate or mitigate the severity of exploits. At this point, I trust them more than I trust OpenSSL. So, we should support LibreSSL.

Re:Did I hear anybody said "Gödel?"

[EuclideanSilence]

One of the many eye-openers that reading Douglas Hofstadter's "Gödel, Escher, Bach" book has provided me, all those years ago, is that, no matter how much we humans may try, we may *never* be sure to have removed all errors or imperfections from anything that's even marginally worth of our interest. In a nutshell, if you can prove that something has reached perfection, at the same you prove that it is not interesting anymore.

You have severely misunderstood. That's understandable, since the English language doesn't support quantifiers well. Read carefully:

It is not possible to write a program that can verify the correctness of all other programs.

It is possible to write a program whose correctness can be verified.

It is not possible to write a program which correctly outputs yes/no to the question of correctness of every possible input program.

It is possible (and is done often) to write a program such that only outputs "yes" when the input is error-free, although "no" only indicates that the error-freeness hasn't been proven.

As far as "no interesting program will ever be bug free", you either don't consider microprocessors to be interesting or you were not aware that many microprocessors have been fully verified. Yes it is a hard problem. However, it is not an impossible problem, and the obstacle isn't mathematics, it's design choices. Those who know how to implement logic don't know how to make the implementation user-friendly, those who know how to make things usable don't know how to implement logic. Time will bridge that gap.

Re:need to get over the "cult of macho programming

[mitzampt]

Unless you are trying to switch to pascal-style strings instead of null-terminated ones you have limited ways to automatically check buffer overruns, just as you have limited ways to do garbage collecting or, for that matter, almost anything automagical with pointers. The compiler alone cannot enforce that policy, one could try to enforce it in the standard library or a framework. The difference between low and middle level languages and high level languages is the magic that happens behind the language. C has almost no magic, it just gives you the building blocks to do whatever you please.

Re:How about

Going forward, all CPUs shall be required to execute Java bytecode natively.

Thanks for this article

[godrik]

Hi dwheeler,

This is a great article. It covers many common software development and testing techniques. But also some "on live system" techniques. It was a pleasure to read, I'll recommend it to various places.

Re:Thanks for this article

[jones_supa]

Agree, that's a fine article.

Re:How about

I really have a problem with Ada for open source applications - Yes, in theory, Ada has some very strong security functions by design, but it's definitely not going to result in the 'many eyes make all bugs shallow' effect.

No one ever reads open source code. It's just some free stuff that naive neckbeards wrote for you, that you can compile and use for free, because it's free!! If no one ever reads the code, who cares what language it's written in?

Re:need to get over the "cult of macho programming

$2k. That's not a typo, they received two hundred dollars.

DOES NOT COMPUTE

Obviously shoddy work, not enough "eyes" looking at it from a QA perspective.

Re: need to get over the "cult of macho programmin

Nothing in the C language precludes checking array bounds. There are plenty of implementations that used tagged pointers, or instrument code to lookup the bounds of an automatic array or malloc pointer.

But few people use them because they're slower.

hmmm...

dollars and able bodies... simple enough, the project before this incident had neither sufficient budget nor sufficient numbers of people working on it.. considering the number of huge, profitable companies, institutions and governments that rely upon the project for day-to-day operations, simply NO EXCUSE.

Re:hmmm...

The free software movement has succeeded in reducing the market value of software to zero. You wouldn't expect huge, profitable companies, institutions and governments to pay more than market value for software, would you?

And what if

If we look how was treated the disclosure of DES vulnerability, and if we compare with the status regarding RSA, we can expect that the next hearthbleed vulnerability will not be in the implémentations but in the foundations.

Re:How about

[phantomfive]

My experience is that people who trust in their language to keep their code bug free inevitably have more bugs in their code. It's amazing how many memory leaks I've found in Java, by programmers who swore such things were impossible. Another entertaining situation is people who manage to get around deadlock detection by creating live-locks.

I think it's clear to everyone who's actually looked at the situation that the problem here wasn't the language, it was the people who were using the language. They would have written bad code in any language.

Re:How about

[phantomfive]

But as I think more about it, one of the problems revealed by Heartbleed is open sourcing the target code didn't result in a lot of properly trained eyes passing over that code.

My experience is that reading code isn't a very good way to catch bugs, mainly because reviewers tend not to read it as carefully as the person who wrote it. If you want to find bugs, it's more effective to do white/black box testing of some sort.

Re:need to get over the "cult of macho programming

[jones_supa]

Yep. It's a thing you include to guarantee your post to be modded up. ;)

Re:How about

Don't use C and its variants like C++. C is an extremely unsafe, low-level language that is just one step above assembly language.

That's like saying we shouldn't use nuts and bolts to build things and instead only use Legos, since they're "safer".

The problem wasn't the language, it was the fact that there were less than a half dozen people actually working on the software, and only one of them could even remotely be classified as a full-time worker. It's incredibly common to miss your own mistakes, especially when the code works properly when tested and widely used.
What is needed are more eyes actually reviewing the project and performing QA and testing on it, instead of just assuming that it was working properly. Part of the problem is that Crypto is Hard, and many people have a tendency to assume that the bits of code which seem wrong or out of place are actually working properly, and that it's their own understanding which is in error.

Re:need to get over the "cult of macho programming

[jones_supa]

Then we have to go one step further and store the size of the buffer.

In general, a "hardened C" programming language would be an excellent idea in my opinion.

Re: need to get over the "cult of macho programmin

[jones_supa]

We have fast computers. Why not sacrifice some of it to security? I mean, we are still probably not talking about 50-time slowdowns, like when you run a program under Valgrind.

Re:How about

[ColdGrits]

Going forward, all CPUs shall be required to execute Java bytecode natively.

Well there was the PicoJava from Sun.
Or the MAJC from Sun

Both of which did exactly that.

Alas none are around any more...

Re:need to get over the "cult of macho programming

This was not a "hangman" game, this was a critical security package. If you can't be bothered to check parameters you shouldn't be working on security projects.

No, it was a free piece of software with no guarantees which was not tested nor rated as acceptable for high-risk use. Others chose to use that software as part of various critical security applications, but completely failed to validate that the software they used was in reality up to the task.

This wasn't a company paying people to write secure code. It was a few volunteers, only one of which was even what you could consider 'full-time'. Meanwhile, thousands of high-profit companies couldn't be bothered to help them out with the project, so if you've got anyone to bitch at, go bitch at every for-profit company who used it and utterly failed to give anything back.

Re:need to get over the "cult of macho programming

[Mike+Sheen]

I saw that a week ago, so I donated $50 USD to the OpenSSL Software Foundation. I figured I would either whine about the problem, or do something. I chose the latter.

Re: need to get over the "cult of macho programmi

We're moving in that direction. Intel is adding bounds checking instructions to the Skylake ISA called MPX. The compiler will keep some shadow memory populated with the bounds of pointers and arrays, and insert MPX instructions to check loads and stores.

Clang and GCC now both have AddressSanitizer, which does the same thing in pure software.

So there's nothing inherently unsafe about C. Its just that most implementations haven't bothered to deal with the problem.

Also, the Heartbleed over-read could have happened in Java. Plenty of high-performance Java projects use buffer pools that look identical to what OpenSSL was doing. They do it to cut down on garbage churn.

Re:need to get over the "cult of macho programming

[Ckwop]

I actually agree with both of you. The Open SSL guys gave out their work for free for anybody to use. Anybody should be free to do that without repercussions. Code is a kind of literature and thus should be protected by free speech laws.

However, if you pay peanuts (or nothing at all) then likewise you shouldn't expect anything other than monkeys. The real fault here is big business using unverified (in the sense of correctness!) source for security critical components of their system.

If regulation is needed anywhere, it is there. People who develop safety and security critical stuff should be certified and businesses with a turn over $x million dollars should be required to use software developed only by the approved organisations.

There is nothing in this definition that prevents an open source implementation. In fact, there's an argument to say that any such verified implementation must be open source precisely so it can be inspected. But it is quite a lot of work and people need to be paid to do that work. You can't expect to get this level of quality assurance for free.

Re: need to get over the "cult of macho programmin

We have fast computers. Why not sacrifice some of it to security? I mean, we are still probably not talking about 50-time slowdowns, like when you run a program under Valgrind.

The irony is that you're already sacrificing it to security in C if you're doing it right; every bounds check that you have to add manually slows things down _at least as much_ as the bounds checking done in higher-level languages.

C/C++ aren't magical speed-demons, they get their speed through a trade-off and a horrible one at that. The sooner people realize this the better.

Re:How about

[DrPBacon]

it's super effective.

Re: How about

I am surprised that D language was not mentioned.

http://dlang.org/

Re:need to get over the "cult of macho programming

[BiIl_the_Engineer]

Don't use software at all, then.

Re:How about

I have personally ported OpenSSL to at least 6 embedded systems, one of which was so proprietary they wrote their own C/C++ compiler. Good luck finding an Ada compiler for that.

his makes it great for low-level, performance sensitive programs like OSes, compilers,

Aaand... performance sensitive like, say... crypto? There isn't much code more performance sensitive than crypto libraries, which is one of OpenSSL's main uses. In fact, there are a whole bunch of native assembler implementations for x86, MIPS, ARM, PPC, etc to achieve that low level performance. Clearly you have never actually looked at the OpenSSL code base...

Performance sensitive? really? most crypto is NOT performance sensitive at all and you could easily sacrifice some performance for more secure/reviewed code. I would imagine there are very few mostly fringe cases where the performance is more critical in which cases they should be uses modified versions not having hacks put into the main code stream.

Re:need to get over the "cult of macho programming

If you want a language that checks for buffer overruns you use a language that checks for buffer overruns. Or when you want to fly somewhere you strap wings on your car instead of taking a plane?

Re:How about

[kthreadd]

If your web server is pushing out lots of https traffic then yes it is performance sensitive.

Re: need to get over the "cult of macho programmin

[jones_supa]

The higher-level languages are often either interpreted or run as cross-platform bytecode. Those make up for the main performance hit, not bounds-checking.

Re: How about

As in; don't add exploit counter-counter-measures to a fucking crypto library. Reading the comments below no one even mentions that they used their own memory allocator, while tellin us how humans can fail and we should all use language X.

Buffer overruns can be prevented at compile time w

[master_p]

Buffer overruns can be statically prevented at compile time without any runtime penalty.

All that is required is that the type system of the target programming language enforces a special type for array indexes and that any integer can be statically promoted to such an array index type by a runtime check that happens outside of an array access loop.

Array indexes are essentially pointer types that happen to be applicable to a specific memory range we call an array. Memory itself is just an array, but for that specific array C gives you special types to access it, namely pointers.

Re: need to get over the "cult of macho programmin

Actually OpenSSL is FIPS-certified, so there is some reason to expect a level of quality.

Re:need to get over the "cult of macho programming

"Brogramming" is the latest feminist buzzword - and as with the rest of their claims, it's bullshit.

Nothing about the OpenSSL fault is to do with macho programming (notice the conglomeration of "male" and "irresponsible" in all this).

It's about a software fault... the type of fault that happens when a critical part of your infrastructure has been under-resourced compared to its importance.

Interestingly... one of the faults underpinning heartbleed was the attempt make OpenSSL as inclusive and cross-platform as possible. Too much junk hid the fault.

That's in stark contrast to the idea that it was some kind of exclusive man-club... but hey... social justice warrios will turn anything into a conspiracy.

Input fuzzing, if you know what's good for you.

[VortexCortex]

Profiling w/ 100% code coverage would have caught this bug. Input fuzzing in the unit tests under memtest could have located this bug even faster. When I'm looking to find a bug to crack these are what security conscious folks like myself or any cracker will use against a code-base to quickly find potential exploit vectors. Thus these tests are the bare minimum framework for any code that has anything to do with credentials or security. Even a PHP login form will have better input sanitation than this. Even just basic Input fuzzing would have randomly asked for a gigabyte or so of data back from the pings making the bug very fucking unignorable.

Here's how I prevent "heartbleed" like bugs: Part of my build process's test harness script generates basic stubs for fuzzing and range tests from the function signatures in .H files if any are missing; So, when I very rarely forget to range check a function parameter the basic unit test is already generated for me and shows up in the build system issue tracker as a failed test; Not only that, it eats my lunch every RC / testing build by chewing through billions of int values until I manually drop in a function call for a stochastic input range check approach instead and maybe added a few tests to hit both sides of any edge cases. FINE If we're having a "Monolith meets Monkeys " moment anyway, might as well throw this one in too: Get the sources for Doxygen (which lets you define custom properties @min_int 42 @max_float 3.142, etc. in your doc comments), and now you just add a bit of your own code to generate your unit tests and input fuzzing code from the function signatures in the source code (Java, C/C++, etc). You generate one file per test, and make nested folders (one per class/source file, one per function) to keep shit organized. One test per file? Isn't that very inefficient? 0. Fuck you, haven't optimizations ruined enough lives already? 1. How else will make produce your missing unit tests, and have your SCM point out each one you forgot to update as an untracked file? Basic code management may seem alien to some of you humans, but it's really not saucer science folks.

I repeat: Use a fucking code coverage tool, for fuck's sake. Folks do this for bullshit enterprise crap, and this is a security product? Regardless of the implementation cock-up, there were multiple untested branches of code for many releases; Specifically there was one branch with and without the bullshit optimization of a custom memory management strategy. Despite the fact that this optimization was not beneficial on any but a very small subset of systems, it was turned on by default. The other branch of code without the memory management hadn't been tested in forever, so code coverage was clearly not a requirement for a release. This also means the optimization wasn't even being profiled against malloc() and free() to see if it was even faster. Memory management is a KNOWN major exploit attack surface... If the code isn't being tested, you don't fucking leave it in the code base, and you NEVER take code out of the code base leaving only a kludgey optimization hack, so this forces you to test the damn code. Just any degree of secure development best practices themselves would have been enough to catch heartbleed.

Want to help steer clear of the next heartbleed? Don't use 3rd party libs that can't test cleanly with memcheck: Yes, I know they can have obcaches and etc. custom memory management which makes memcheck complain even if they're used correctly, but GC is a prime KNOWN place for state leakages and subtle bugs to breed. Even my embedded scripting language for C has a GC that cleans itself up properly. Yes the OS reclaims allocated memory at program termination whether you free() or not, but it's just such a fucking minimal thing (a basic check) to just walk your data structures and release resources or que up a function to free() things atexit() so that memcheck is

Re:Input fuzzing, if you know what's good for you.

[dwheeler]

Profiling w/ 100% code coverage would have caught this bug. - No, code coverage would not have worked in this case. Since the problem was that code was missing, you can run every line or branch without triggering the vulnerability. For more, see: http://www.dwheeler.com/essays...

Input fuzzing in the unit tests under memtest could have located this bug even faster. - No, not in this case. Fuzzers were countered because OpenSSL had its own set of memory allocators. When fuzzing you often are looking for crashes; to force buffer over-reads into a crash, the usual way to do that is to override memory allocation. Since OpenSSL managed its memory separately, the override had little useful effect. For more, see: http://www.dwheeler.com/essays...

Re:Input fuzzing, if you know what's good for you.

> Fuzzers were countered because OpenSSL had its own set of memory allocators.

This. Portability implementers need to be *kept the hell away* from rewriting basic system calls. This is part of how OpenSSH has remained pretty secure, it's written for only one platform. Bugs are often introduced when making it "portable" to other operating systems with the OpenSSH "p1" releases.

Re:Input fuzzing, if you know what's good for you.

[SuricouRaven]

I know just enough mathematics to impliment my own key exchange and assymetric encryption functions.

I also know enough cryptographic practice not to attempt to do so. I leave that to the expects who know all the non-obvious mathematical tricks too.

Re: Republicans

[tlambert]

I have no idea why you're maintaining that "Republicans" create these bugs, and I'm, like, a socialist.

I think he's claiming non-Republicans can't code...

The LLVM static analyzer finds this bug.

[tlambert]

The LLVM static analyzer finds this bug.

So would warning about dead code, since the code past the point of the second goto is, by definition, dead code. Most people prefer automatic dead code elimination, mostly because they don't want to have to fix their code, if they could be working on new code instead.

When I turned on the "Brucification" warnings in the Mac OS X compiles, everyone bitched they couldn't see the new warnings their changes introduced with the previous (small) set of warnings that they personally cared about were all the compiler would complain about. We found tons of code in the VM system and elsewhere which was dead (most of them intended as code path optimizations, which is funny because performance testing would have found they didn't have any impact) because of "comparison is always true..." or "comparison is always false..." rendering them silently dead.

Unfortunately, -Wunreachable-code was removed from gcc in 2010 (brilliant move, that, in retrospect, wasn't it?).

Re:The LLVM static analyzer finds this bug.

[cryptizard]

Wrong bug dude. Heartbleed was a buffer overread.

Re:The LLVM static analyzer finds this bug.

[dwheeler]

The LLVM static analyzer finds this bug. So would warning about dead code, since the code past the point of the second goto...

Um, no. You're talking about the Apple "goto fail; goto fail;" vulnerability. That's a different vulnerability in a different program. They're both vulnerabilities in TLS/SSL implementations, but they are different programs.

LICENSE

Excerpt...

  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  * OF THE POSSIBILITY OF SUCH DAMAGE.

Not a buffer overrun

[Frankie70]

Second, there needs to be an emphasis on using languages that are not susceptible to buffer overrunning

Heartbleed was not really a buffer overrun problem.

Re:Not a buffer overrun

[cryptizard]

It was a buffer overread, which would also be solved with the same techniques.

Re:Not a buffer overrun

Actually it was though. Sorry.

Re:Not a buffer overrun

[Frankie70]

It did not read more memory than allocated.

Re:Not a buffer overrun

[Frankie70]

No, it wasn't. Sorry.

Re:Not a buffer overrun

[cryptizard]

Umm... yes it did. Details here. It is a classic buffer overread. The client sends some heartbeat data, plus the length of the data. The server copies as many bytes from the payload as specified by the user, even if it is only one byte long.

Re:Not a buffer overrun

[Frankie70]

Yes. It's a buffer overread. But if did not go beyond the memory allocated by malloc.

Re:Not a buffer overrun

[cryptizard]

What the fuck are you talking about. The relevant lines go like this:

unsigned char *pl = &s->s3->rrec.data[0];
n2s(pl, payload);

Get a pointer to the heartbeat data inside an SSL record and copy the first two bytes to a 16 bit value payload. pl will point to data on the heap, but it might only be one byte long.

memcpy(bp, pl, payload);

Copy payload bytes from pl to a bp. This will read pl, plus a bunch of stuff that is after pl on the heap. In that sense, "it did not go beyond memory allocated by malloc," but that is stupid because everything is allocated by malloc at some point. It goes beyond what was allocated by malloc for the buffer pl, which is the point.

Re:Not a buffer overrun

[Frankie70]

You have missed the malloc call. See what is being passed as size to the malloc call. That will show you that the it does not cross the size allocated by the malloc call (the malloc for this call - not everything allocated by malloc).

Re:Not a buffer overrun

[cryptizard]

Yeah, that is a malloc for the DESTINATION bp. The source pl was already allocated earlier and is not shown in that article, it is not dependent on the size claimed by the client only the actual size of the payload that could be read from the socket.

Re:Not a buffer overrun

[Frankie70]

Read this - http://blog.existentialize.com...

Will help your understanding. There is no buffer overrun.

Re:Not a buffer overrun

[cwsumner]

Yes. It's a buffer overread. But if did not go beyond the memory allocated by malloc.

Only because the programmers "hacked" malloc! Not Good!
And if your system fails, it doesn't matter if it was faster...

Re:Picard and his cute blanket

So cute!

Re:How about

The problem usually is, few people know these languages and they are not portable from one platform to another.

And in this particular case it wouldn't have helped anyway.

Actually I have a hard time finding real security cases that can have been avoided by changing language. It is all just theory.

Priorities?

[ponos]

Rigorous coding should be held to approximately the same standard as engineering and math. Code should be both proven correct and tested for valid and invalid inputs. It has not happened yet because in many cases code is seen as less critical (patching is cheap, people usually don't die from software bugs etc). As soon as bugs start costing serious money, the culture will change.

Anyway, I'm not a pro coder but I do write code for academic purposes, so I am not subjected to the same constraints. Robust code is easier with some languages and harder with others, but should be doable in any setting. In the end, some form of static and dynamic checking should provide reasonable security for almost any environment.

Re:Priorities?

As soon as bugs start costing serious money, the culture will change.

Fire the programmers who cost us serious money!

"Things are gonna change," you say? Grow up, kiddo.

Re:Priorities?

[ThosLives]

Rigorous testing is helpful, but I think it's the wrong approach. The problem here was lack of requirements and/or rigorous design. In the physical engineering disciplines, much effort is done to think about failure modes of designs before they are implemented. In software, for some reason, the lack of pre-implementation design and analysis is endemic. This leads to things like Heartbleed - not language choice, not tools, not lack of static testing.

I would also go as far as saying if you're relying on testing to see if your code is correct (rather than verify your expectations), you're already SOL because testing itself is meaningless if you don't know the things you have to test - which means up-front design and analysis.

That said, tools and such can help mitigate issues associated with lack of design, but the problem is more fundamental than a "coding error."

Re:Priorities?

[NapalmV]

The problem lies with how the "software industry" evolved over time, and the complete lack of user/consumer protection legislation regarding software products.
If the physical products manufacturers have a design fault, they will have to fix those products, during warranty period, at their own expense. If on top of it the defect is safety related, they'll have to fix it even beyond the standard warranty period. Whether the product is a car or a coffee grinder, they'll have to recall it period.
Now contrast this with software, where there's no liability and no recalls. All they would do is to provide some patches, when they want and if they want, that you would obtain and apply at your own expense. If MS for example would had been required to pay for the labor needed to apply all their patches to all the systems in use, they would had been bankrupt for a long time now.
The software "culture" will not change a bit unless there would be some legislation introduced to force it to happen. However this probably won't happen any time soon. "Lobbying" will take care.

Re:Priorities?

Well, the guy wrote a phd-thesis ont he subject first, maybe this qualifies as "design"? AFAIK it even specifically mentioned the risk, it's just that during implementation it was forgotten.
However, once can and will always make small mistakes like this one during the implementation phase, no matter how good and sound and perfect the design or the development process. Testing, reviews, etc. do help, but something will always slip through. The only thing that can (sometimes) prevent eventual failure is redundancy, which is however expensive and (in a communications protocol) quite difficult to do in an efficient way.

The physical engineering disciplines are also no shining beacon of hope, while they do design for common failure modes, they almost never have to deal with malicious intent. Safe boxes, car locks, AT machines, etc. can all be broken into and frequently are, despite being designed for security by your lauded, mythical "physical engineer".

Re:Priorities?

[gnasher719]

Rigorous testing is helpful, but I think it's the wrong approach. The problem here was lack of requirements and/or rigorous design.

The real problem is the horrible OpenSSL code, where after reading 10 lines, or 20 lines if you're really hard core, your eyes go just blurry and it's impossible to find any bugs.

There is the "thousands of open eyes" theory, where thousands of programmers can read the code and find bugs, and then they get fixed. If thousands of programmers tried to read the OpenSSL code with the degree of understanding necessary to declare it bug free, you wouldn't end up with any bugs found, but with thousands of programmers gone screaming mad.

Re: need to get over the "cult of macho programmin

yes. exactly, exactly! a piece of software no matter how open or closed, is a concept, an idea so on and so forth. but when you program a finite automaton ( any computer) to work by the rules described by that software, then you, the guy who installs that set of rules ( the software ) bare a lot if not all the responsibillity. in my oinion we take computers and software for granted and we shouldn't.
final thought : the people who wrote the code are not responsible for proposing a piece of software, but everybody who put it into production bares responsibility.

Re:How about

So you are saying Open Source is inherently flawed because "the developers don't have access to all of the resources that corporations tout around"?

Re:need to get over the "cult of macho programming

[jhol13]

This problem was caused by a simple missed parameter check, nothing more. Stop acting like the cultural problem is with the developers when it is with the leaches who consumer their work.

I do not believe you. If this were an isolated case, then you'd be right. But no, this kind of "oops, well now it is fixed" things happens all the time, over and over again. The culture of the programming never improves due to the error - no matter how simple, no matter that it should have been noticed earlier, no matter what.

I am willing to bet that after next hole the excuses will be same "it was simple, now it is fixed, should up" and "why don't you make better, shut up" or just "you don't understand, shut up". And still the cowboy-coding continues.

This was caused partially by unchecked parameter (this should have never happened, there is no excuse for it), partially because the idiots used their own allocator which created the covert channel and prohibited the use of malloc-debug libraries. Libraries which would have found the error - again this should not have happened.

But then, maybe I just should shut up ...

Re:need to get over the "cult of macho programming

yes developers are humans so they make mistakes. Some of them are technical some organizational I.e. not having proper or at least sufficient process in place. The faults are just part of what we do, they are unavoidable and we just need take care of them. Calling users of openssl leaches proves does only one thing - shows how stupid you are.

Re:need to get over the "cult of macho programming

[ultranova]

Maybe deep inside some kernel routine we cannot afford the 0.5nanosecond it takes to check the buffer size,

Speaking of weird remnants of the past, I've seen claims about the kernel needing to be uber-efficient before, but does that really make any sense? How much time does the average machine spend executing kernel code, besides the idle loop? If kernel was 10 times as slow, would it still be a significant amount?

and we can always have a pragma that disables the checking for that piece of code.

No we can't, because every programmer is better than average, thus they clearly can disable the checks safely, and as the Heartbleed fiasco showed, they will do stupid shit to gain a (real or imagined) speed advantage.

No, if checks are to do any good, they need to be mandatory. But we already have a language that does that, and Java is bitterly hated precisely because it keeps programmers from living dangerously. Not that that stops them from inventing new and innovative ways of screwing up, as evidenced by the software that requires a particular JVM version...

Also, I'm not at all certain that a truly secure programming language wouldn't face opposition or outright sabotage from various intelligence agencies. Whether the excuse is spying on your own consumers or the foreign dogs, everyone and their dog wants access to every system they come across.

Pointers & indrection

= what arrays use for indexing. Arrays need contiguous memory whereas linked lists don't (and they operate on pointers).

Re:How about

GNU rewrote Unix

No. GNU took existing projects that existed under permissive licenses and called them a UNIX replacement after GNU relicensed them under the GNU license. Other than 3.1 MB of "Hello World" source, GNU has done fuck all. They don't even have a kernel, yet.

Re: need to get over the "cult of macho programmin

No there isn't

Re:How about

[cryptizard]

How would it not have helped? In a memory safe language the buffer overhead which caused the bug could not have happened.

Re:How about

[Pricetx]

A quote from the "Insane Coding" blog, which in turn quotes from the book "cryptography engineering":

The issues with higher level languages being used in cryptography are:
- Ensuring data is wiped clean, without the compiler optimizations or virtual machine ignoring what they deem to be pointless operations.
- The inability to use some high-level languages because they lack a way to tie in forceful cleanup of primitive data types, and their error handling mechanisms may end up leaving no way to wipe data, or data is duplicated without permission.
- Almost every single thing which may be the right way of doing things elsewhere is completely wrong where cryptography is concerned.

coders of OpenSSL and funding

Why would you want the OpenSSL people to be held accountable for something they basically just wrote on their own time since nobody else bothered?

I think this is part of the problem: much of the code was written as a hobby.

Which is fine, and doesn't necessarily mean it's bad code. But similar to how Linux started as a hobby, people are now paid full-time to work on the code.

The same thing should (and is) happening with OpenSSL: put a bunch of money (either the OpenSSL Foundation, or the Linux Foundation) and hire smart, competent folks to work forty hours a week on cleaning things up. It doesn't have to even be a lot of folks (6-12?), but it needs to be their job for forty hours a week to look at it.

We do it with BIND, ISC DHCP, Linux, etc., and many other important projects. The time has long past when proper funding should be applied to full-time developers to this.

Re:need to get over the "cult of macho programming

>But then, maybe I just should shut up ...

Yes. You should.

Re:Buffer overruns can be prevented at compile tim

Nope. You're a moron. This works fine for compile-time constants, but not dynamic/runtime initialized arrays. At least, not without overhead. But nice try. Maybe if type more words you can look smart in front of whoever.

Because we "code" instead of "design"

The fundamental problem is the current developer culture that sees software development as "coding".

It wasn't always this way. There was a time when "design" was considered crucial, and "coding" was seen as the elaboration of a design into something that could be compiled and executed. People assumed that eventually we would have a design level language that could be compiled - that "coding" would be at a design level.

Unfortunately, design level language have not caught on, even though there have been many developed in universities, so we are still stuck at a low level code level - way below the design level, and given the waning emphasis on design today, it is no wonder that we have so many vulnerabilities in software.

And this has nothing to do with agile development: agile development can work at a design level; but the culture emphasizes "code", and that is the problem.

Compounding the problem is the fact that most developers have little interest in secure design; and if bypasses design and goes straight to coding, then there is no secure designing, there is only "secure coding", which is a non sequitur.

Re: How about

I have reviewed code for dozens if apps and reported dozens of bugs for them. The problem is that not every project fixes them. Not even if you provide a patch and the issue is obvious programming error.

Sure, but not in C

[dwheeler]

Agreed, but not in C. You need to change C (and modify the code to use the functionality) or change programming language. The article does discuss switching languages.

Re:need to get over the "cult of macho programming

[prefec2]

Shit happens to the best programmers. The only thing to prevent such things is to check the code. Therefore, you need another person trying to test the code and you need a specification for the code so you can really check the code against another artifact. But obviously nobody bothered. That's why in housing the architect plans the building and at least two structural designer check the design (at least in Germany that is).

Re:need to get over the "cult of macho programming

Speaking of weird remnants of the past, I've seen claims about the kernel needing to be uber-efficient before, but does that really make any sense? How much time does the average machine spend executing kernel code, besides the idle loop? If kernel was 10 times as slow, would it still be a significant amount?

Assuming that kernel time is 1% of your total CPU time. Your 10x number, now becomes 10% of CPU time. Which could possibly translate into 5-15% less battery life.

Not every machine running code is a desktop hooked to a power line. There are a lot of battery-powered devices out there which also need to run code, where you do need to think about clock cycles. Or systems which have very limited CPU power.

That being said, in 98% of the time, a developer's focus should be on using appropriate algorithms / design patterns which are fast and efficient in 90-98% of cases, rather then playing around with ASM or low level C trying to squeeze out that last 2% of performance.

Re:need to get over the "cult of macho programming

[serviscope_minor]

OpenSSL used its own allocator, the most positive thing I can say about that is "totally idiotic".

That's deeply unfair. The most positive thing I can say about it is that it was 100% necessary a long time in the past when OpenSSL ran on weird and not so wonderful systems.

AFAIK nobody is removing it ...

Except in LibreSSL, you mean?

Furthermore, C is insufficient language for a security software (C++ when properly used barely acceptable, managed languages much better).

Depends on the amonut of auditing. C has huge problems, but OpenBSD shows it can be safe.

Re: need to get over the "cult of macho programmin

I wasn't really thinking about fully managed languages here, just a step up. This bug would never have happened if it had been written in Ada, Pascal, Fortran, etc, and the program as a whole would most likely not have been slower.

Re:How about

most crypto is NOT performance sensitive at all

Ever run a web server with HTTPS? At work, not all systems have Xeons with AES yet, so we don't enable AES-NI on images, which means AES is all done in software. This became such an issue, that the majority of the web server's CPU was being consumed by AES. We eventually had to purchase a $250,000 firewall+reverse proxy. Since you can't just have 1 of something for redundancy reasons, we had to purchase two of them, so $500k, and because we have an offsite datacenter in case the main one goes down, that's another $250k. All in all, $750k because we can't enable AES-NI. Freaking awesome!

I guess these firewalls do a lot more than just offload HTTPS, but it's the biggest feature the web admins care about.

Re:How about

Says the people defending c programmers...heartbleed...who is real idiot...

signed,
garbage collecter

Re:need to get over the "cult of macho programming

[webnut77]

$2k. That's not a typo, they received two hundred dollars.

DOES NOT COMPUTE

You must be one of those high-level language compilers to have caught that error.

Re:need to get over the "cult of macho programming

I do not donate to programs written in c...

Re:need to get over the "cult of macho programming

[SuricouRaven]

"businesses with a turn over $x million dollars should be required to use software developed only by the approved organisations."

That would just lead to regulatory capture. The approved organisations would use their connections and influence to make it very hard for any other organisations to become approved - and once this small cabal have thus become the only option, they can charge as much as the like.

Re: need to get over the "cult of macho programmin

[SuricouRaven]

But they do give the programmer control of where the checking happens.

If you have a function CalculatePasswordHash(char *pass, int len) that in turns calls functions sha1, memcpy, rotatebit and xor fifty times each passing that len parameter, then you can check it is = the space allocated for *pass just once, rather than doing it for every function and thus needing two hundred and one checks minimum.

Re:need to get over the "cult of macho programming

[SuricouRaven]

A lot of kernel stuff is very time-sensitive. Got to get the next block of sound to the audio device before the ring buffer catches up, got to get the display memory updated before the screen refresh kicks in, got to calculate the next LBA address read before the disc spins around to whereever it may lie.

Re:How about

[Zero__Kelvin]

"Don't use C and its variants like C++. C "

Yes. Also, the problem with Rap is that it is in English. If they just wrote their masogenistic statement in a different language all would be well!

Seriously, please stop with the ridiculous claim that the language is the problem. The problem is that nobody is perfect, no process is perfect, and mistakes will always happen. They will happen far more often when the system is implemented by people who understand so little about software development that they think the language is the problem.

Re:need to get over the "cult of macho programming

I agree that in general corporations are not going to contribute anything back to open source unless it somehow helps them. I also believe that something as fundamental as security libraries should undergo much more review care and planning than they likely do, be they closed or open source. I do not agree that security libraries should be written in some specific language, though if you can get the same performance in a more secure language that is also widely used, then it makes sense to make the transition. That being said, if you don't make the performance requirement you need, people will not use a particular library.

The problem ultimately comes down to money. With sufficient care a high paid team of experts could write the requirements and checks needed to make it reasonably secure, while another highly paid and experienced team could code it. Ideally you would want this kind of thing repeated in multiple countries with multiple levels of review for the really important stuff. A piece of code designed that way is likely to have the needed review. It also may end up being slow, due to the vast amount of concensus required, but then it is the standard compromise.

Faster, cheaper, better. Pick any two, except in something this important your likely to get slower, more expensive, better, if you truly want the best. Another sad fact is you can't trust an agency like the NSA to oversee such work, since they have a clear conflict of interest. The best idea that comes to mind would be to entrust such work to say three top universities in three different countries, perhaps with undergrads being given full ride scholarships if they find an important enough bug... Of course, I don't think that level of commitment is ever going to happen, but if you truly want bulletproof security, I think that is probably about the level of comittment needed. (It would also be best, if at least one of the universities was from a country that did not actively get along with the other two countries.)

Re:How about

[TVmisGuided]

Adacore has a perfectly good implementation of a high-security Ada compiler, which produces executables for multiple platforms. There's nothing difficult about finding such tools. What's difficult is finding programmers and developers who are willing to take the time to actually develop their code to take advantage of the strict typing which is one of Ada's strengths.

John Barnes, author of one of the most-used Ada texts, outlined the meanings of "safe" and "secure" software in a very straightforward manner:

If software is "safe", it cannot harm the world

If software is "secure", the world cannot harm it.

From what I've seen, C and its derivatives do not have the intrinsic mechanisms to make software developed with that language either "safe" or "secure". It's too easy to break both safety and security using C and its derivatives, because a programmer can cast between types, auto-promote from one type to another, and similar logical faux pas, and the compiler will very happily allow such to take place, which means most bugs are able to hide until run time. Not so with Ada; because of strict type checking, casting must be explicit, and an attempt to auto-promote will be met with a CONSTRAINT_ERROR at compile time.

As the poster on my wall says, "[i]f builders built buildings the way programmers write programs, the first woodpecker to come along would destroy civilization."

Re:need to get over the "cult of macho programming

I can see the cattle call now from a lot of software places: "But forcing all these bargain basement H-1Bs or our offshore, oursourced dev shop to adhere to these standards costs us money, and security has no ROI! Lets just keep coding cheaply, and pay people off if something does get discovered."

Bounds checking in C?

[NorthWay]

Is there any reason we can't get bounds checking in C?
I think I read something about an interpreted version of C some time ago that did this.

stop using C

move on ...

Zero memory

[elbonia]

Wouldn't the best course of action be to zero important memory after it's use just like on disk. After something like a password is loaded in memory it should always be followed by memset with zeros in C/C++. That way if an unchecked read is followed all that would be read is null.

Re:Zero memory

[david_thornley]

Yes. You're right. That way, neither a Heartbleed-type vulnerability nor a buffer overflow would access freed memory with anything in it. This is difficult to get right in C, and even C++, unfortunately.

Moderators on drugs?

Why was a comment about the horrific attack on science and technology by Republicans moderated as funny? It's horrible. I guess the same idiot that did that thinks Holocaust jokes are funny. You Republicans are all alike.

Re:need to get over the "cult of macho programming

[Raenex]

Depends on the amonut of auditing. C has huge problems, but OpenBSD shows it can be safe.

How so? OpenBSD says they audit their operating system (which includes code that they did not write). OpenBSD was affected by Heartbleed, which means OpenBSD's audit did not catch this bug, and they were affected just like everybody else.

Also, most of the bugs on their advisory page are for typical C memory problems, such as use after free and buffer overruns.

Re: need to get over the "cult of macho programmi

[Raenex]

So there's nothing inherently unsafe about C. Its just that most implementations haven't bothered to deal with the problem.

C is inherently unsafe because the default mode is unsafe. History has shown that expecting implementations to add security after the fact does not lead to secure programs. C's builtin strings, which are null-terminated and prone to security flaws, are a perfect example of C's insecure defaults.

Also, the Heartbleed over-read could have happened in Java. Plenty of high-performance Java projects use buffer pools that look identical to what OpenSSL was doing. They do it to cut down on garbage churn.

Could have, yes, but you have to go out of your way in Java to fall to this kind of bug. There's a huge difference.

Not preventable

[Tony+Isaac]

Of course, we should find ways to improve quality control in open source software. But the next Heartblee is going to happen. It's like asking, "How can we prevent crime from happening?" Sure, you can and should take measures to prevent it, but there will always be unexpected loopholes in software, that allow unwanted access.

Re:How about

[gnupun]

I never liked it much, even though I did turn in successful code a few times, and I really have a problem with Ada for open source applications

Can you express what you didn't like and why? Perhaps it's a bit verbose and overly strict. But the strictness means you find many bugs during compilation and basic testing. Of course, compiler and runtime errors frustrate many programmers, which is why many prefer C -- fewer warnings and errors. Let the customers deal with the errors.

But as I think more about it, one of the problems revealed by Heartbleed is open sourcing the target code didn't result in a lot of properly trained eyes passing over that code.

But this class of bugs (buffer related) is extremely common in many software apps, (specifically C apps because C uses pointers for buffer management instead of creating a dedicated type). Why should you need many eyes to perform such a tedious task when the compiler/runtime can do it more efficiently?

Preventable!

[dwheeler]

But that's the point, we can and should take measures to prevent it. Even if we never eliminate all vulnerabilities, we can prevent many more vulnerabilities than we currently do.

Re:Preventable!

[Tony+Isaac]

No doubt. So why didn't YOU take steps to prevent the Heartbleed vulnerability? The same reason everybody else didn't: time. Finding bugs takes time. Sure, you can automate, but that automation also takes time. So we are caught between two desires: 1) the desire to add or improve functionality, and 2) the desire to avoid vulnerabilities. The two desires compete for the amount of time that is available, so it becomes a trade-off.

It's also an arms race. There is real financial incentive for finding vulnerabilities that can be exploited, far more incentive than there is for software authors to prevent exploitation.

Given that it's not FUN to find vulnerabilities, unless you are the guy trying to exploit it, there are always going to be vulnerabilities.

One Source to Rule Them All

[GavrielPlotke]

The bug is foremost a flaw in the Interface call.
The spec can be described as "Here is a bit of data, send it back to me so I know you are alive".
But there are two separate sources for the length of the data:
- The write length
- The read length
Why a parameter for the read length at all?
We already know how long the string is!
.
The general rule is to have one authoritative source for any given peace of information.

Re:need to get over the "cult of macho programming

Not only did OpenSSL have its own allocate, it also had logical dependencies on a security hole in the allocater. OpenSSL actually required, based on the way that it was written, that the data be available after it was freed and reallocated!

a = alloc(n)
*a = *x
free(a)
a = alloc(n)
assert(*a == *x)

WTF kind of coding practice is that?!

Short answer: better tools

The short answer: better tools. Coverity isn't complete, nor are other tools. 15 years ago Coverity was an idea. 10 years ago it transitioned from a project in a university lab to a commercial product. 5 years ago it was used by the US-DHS to check 50 commonly used open source products, and many other proprietary products. Now holes in how it does what it does are being found and more tests and checks are being added. The tools are maturing but are not perfect yet. Its not a time to abandon these tools, its a time to improve them, make sure they 'fix' is able to find not just the current flaw but all other similar generic kinds of flaws like it, and then move on.

Re:need to get over the "cult of macho programming

[Bengie]

Because of Amdahl's law, a 1% increase in time could cause an unbounded amount of slowdown. You may go from having a cap of 32 cpus of performance to 4 cpus of performance because context switching takes longer, which causes some threads to hold locks longer. In the case of multi-threading, 1% can turn into 10,000%.

Re:How about

If translate OpenSSL -> C. Then you only need the translated code.

Re:need to get over the "cult of macho programming

[gnasher719]

This. It is high time that by default C compilers did buffer overrun check.

It has been claimed that due to OpenSSL's own memory management, this wasn't actually a buffer overrun. If you allocate 10 bytes for X, 5,000 bytes for Y, and 50,000 bytes for Z, but your proprietary allocator puts all these items into a 1MB malloc block, then copying 50,000 bytes from X isn't a buffer overrun to the compiler.

The real problem was that the code tried to respond to requests that it shouldn't have responded to. In this particular case, trying to respond could have triggered a buffer overflow, but in other cases, it might not.

Re:How about

[gnasher719]

My experience is that reading code isn't a very good way to catch bugs, mainly because reviewers tend not to read it as carefully as the person who wrote it. If you want to find bugs, it's more effective to do white/black box testing of some sort.

That depends. Your reading of code can have three possible results: 1. "There are no bugs". 2. "There are bugs A, B, C and D; go and fix them". 3. "I can't understand the code to a degree that I can say it is bug free".

In case 3, the code should be rejected unless it is code handling some really hard problem that needs a better reviewer. The area where the Heartbleed bug happened was in no way difficult, so code that is hard to understand should have been rejected. If that happens, reviews reduce the number of bugs.

In addition: Even good programmers make mistakes. However, good programmers can write code that even with mistakes either works or doesn't work but doesn't have hidden problems.

Re:need to get over the "cult of macho programming

[Alomex]

Point taken, I've heard the same thing. This is also a problem with ancient languages: they have really primiitve malloc routines that call the kernel every time there is a malloc. The consequence is people roll out their own memory management routines.

Don't get me wrong, I used C heavily and really liked it, back in the late 70s and early 80s. Thirty years later is long on the tooth and with very little progress in between. The original version was released in 1973, the first revision took place 16 years later (ANSI C) and it was rather modest. Since then things have moved slightly faster with C99 and C11, but still not fast enough to correct what are, in retrospect, clear flaws in the language.

Re:How about

[phantomfive]

Maybe. I'm basically going on my experience here, code reviewers just don't put in the effort necessary to look for bugs.

If you can say you know how to always write code that is so clear that it never has any bugs, I would like to know how you do it.

Re: How about

[Likes+Microsoft]

TFA mentioned these advantages of the C-family as well.

Djikstra commented...

testing can show the presence of bugs, but not their absence.

Re:How about

[Dahamma]

Performance sensitive? really? most crypto is NOT performance sensitive at all and you could easily sacrifice some performance for more secure/reviewed code. I would imagine there are very few mostly fringe cases where the performance is more critical in which cases they should be uses modified versions not having hacks put into the main code stream.

First: how do YOU know whether crypto is performance sensitive or not "at all", because it's entirely dependent on the use of it.

Second: yes, it's absolutely performance sensitive because the trend is becoming to use HTTPS for everything. On a server that means the whole front end can greatly benefit from faster crypto, and on client side one of the most popular current Internet applications - video streaming - often uses crypto for DRM so the entire video stream needs to be decrypted in real time. Sorry, Netflix is not a "fringe case".

Missed Test Case for RFC

[tim.c.quinn]

RFC 6520 clearly states "If the payload_length of a received HeartbeatMessage is too large, the received HeartbeatMessage MUST be discarded silently." If best practice for test case construction and execution is done, this RFC item would be linked to one or more negative tests and these tests must pass to allow the code to move forward. I'm surprised that this was missed in such an important library. I'm also a bit surprised that this article fails to mention this.

Re:How about

[Dahamma]

"Multiple platforms" means nothing if it's not MY platforms (which looking at it in general, it's not).

Re:How about

In fact, due to C's popularity, pretty much every language in existence has a way to call to/from C. These vary in how heavyweight they are, but the overhead/complexity is usually due to having a different runtime model (i.e. garbage collection, different restrictions on value layouts), but that shouldn't be an issue for a language low-level enough to be considered as a replacement for C. We most definitely should be using some other language (or, equivalently, a subset of C that is statically checkable/checked to be free of certain classes of bugs, including buffer overruns like Heartbleed).

Re:How about

You are right. You can write bugs in any language. Unless you take the tremendous effort to prove your code correct of course, but even then you can only prove it secure against attacks you can think of (mainly a problem for crypto where every few years someone thinks up a new side-channel). You can't do that for most code, but you can do code reviews / other process requirements. That said, there's no reason to not mechanize checks against known classes of bugs. Whether you use a different language or a subset of C that conforms to a static checker that proves there are no buffer overflows / other bug classes you want to avoid,

Re:How about

[LordWabbit2]

If you are pushing out a lot of traffic then you would typically offload crypto duties to an application delivery device like F5 so your farm does not have to worry about the load of decryption/encryption.

Re:How about

[TVmisGuided]

Not to belabor the obvious, but that takes the "Open" out of the equation, doesn't it?

Re:need to get over the "cult of macho programming

[Moondevil]

Fully agree with you. Even in 1975 there were better, safer languages than C for systems programming.

Re:How about

[Dahamma]

What does that have to do with it? For example. as far as I can tell there is no MIPS support at all.

If you look at the OpenSSL Makefile/config, it's been ported to literally HUNDREDS of platforms. Of course, all of those have a basic C compiler. Probably 10% would be supported by AdaCore.

And, of course, yes, if you wanted to port OpenSSL to a proprietary platform and not release the source, that's perfectly acceptable given the OpenSSL license.

Formal Language Theory

[massivedata]

I agree with ThosLives, it was a design issue. Heartbleed could have been avoided if the input language was designed to be context-free. The error was caused by the use of a length field, which makes the input to the system context-sensitive. This was not necessary. Start and end delimiters could have been used instead, which would have made the vulnerability impossible. The input language to a software component should be recognised by a machine with the lowest computational power possible. In the case of a TLS hearbeat message a regular language would do the job. Comments which were mentioning it should not have been implemented in C were close to the mark, the input parser should have used only regular expressions. I have written a review of a paper on this topic which has changed the way I think about designing software inputs: http://edenduthie.com/2014/05/...

Re:need to get over the "cult of macho programming

[DaveHowe]

The reality was both more interesting and much worse than the above implies.

The OpenSSL project had one full time programmer as gatekeeper; he passed the code and added it to the tree, when in fact it missed a bounds check the RFC it implements says should be made.

As an OSS project that accepts patches from the community, the submitter could have been anyone, of any level of ability. In practice, the submitter was a student, who had written not only this patch but the RFC that describes the change, as part of his thesis project. The idea was to increase the efficiency of SSL *in UDP* for applications such as OpenVPN, by adding a "are you still there?" heartbeat exchange.

The final patch was submitted (and accepted) on the evening of Dec 31; I am at least slightly suspicious of the timing, as it smells of trying to meet some arbitrary deadline (and a student throwing in his work "under the wire") rather than the "when its as perfect as I can get it" criteria that should govern a submission to a security product.

Re:How about

[david_thornley]

Thing is, there are some safety features in C that could have been used. If there had been a consistent use of calloc() instead of malloc(), Heartbleed would not have been exploitable. (My guess is that they used malloc() since it's a touch faster than calloc(), since it doesn't zero the heap.) Personally, I think their handling of the memory heap was just asking for major trouble.

I believe that any team that manages to take something written in C and make it less safe is going to screw up royally in any language. Moreover, since they removed what pitiful protections C has for the sake of performance, they wouldn't have written OpenSSL in a safer language in any case.

BTW, C++ is a far safer language to write this stuff in than C. It's a C variant in the sense that Java is. I don't know that it's a good language for security software (although a whole lot better than C), but when I discussed this on Bruce Schneier's blog I found that nobody there knew anything about C++ more modern than my son (finishing his second year at college now). Since it has all of C's performance ability when you want it, it is probably worth a second look.

Re:How about

[david_thornley]

My experience is that code reviews catch a lot of bugs, myself. Testing is good, but there's lots of stuff it's never going to catch.

Re:need to get over the "cult of macho programming

[david_thornley]

I don't think regulation is the answer; I think that holding businesses accountable is the answer. If it seriously hurt a company to get hit by Heartbleed, they'd have an incentive to make sure OpenSSL worked right.

Re:need to get over the "cult of macho programming

[david_thornley]

Except that this wasn't a buffer overrun. Given a request to return the 65K characters of "foo", apparently OpenSSL allocated a 65K buffer and went through it properly. The problem here was that the memory hadn't been cleared out.

Still, proper use of C++ will do wonders at stopping buffer overruns.

Re:need to get over the "cult of macho programming

[cwsumner]

If you are worried about security don't use software written by people who can't be bothered to check parameters.

"If Engineers built buildings the way Programmers write programs, the first Woodpecker that came along would Destroy Civilization!"

Re:need to get over the "cult of macho programming

[cwsumner]

When free enterprize gets bad enough, regulation is the result.
Clean up your act, or you will be roadkill for the control freaks in government!

Re:How about

[phantomfive]

If you think back, you'll be able to think of plenty of bugs that made it past your review.

Re:How about

[david_thornley]

Sure. I've written plenty of bugs that got into production despite code review and testing. That doesn't mean testing and review are useless.

Re:How about

[phantomfive]

No one said testing and review are useless

Re:need to get over the "cult of macho programming

[jhol13]

The allocator was never "100% necessary". It might have been advantageous in some systems, but in vast majority of systems it have never been more than a hassle. Then when they made the OpenSSL unworkable without their allocator - or rather without the undocumented behaviour their allocator happened to have, they should have removed it immediately. But no, they were macho, they thought "we know better".