On 2018-12-31 13:03:27 -0500, Jeffrey Walton wrote: > The GMP library uses asserts to crash a program at runtime when > presented with data it did not expect. The library also ignores user > requests to remove asserts using Posix's -DNDEBUG. Posix asserts are a > deugging aide intended for developement, and using them in production > software ranges from questionable to insecure.
That's much better than letting the program run erratically, with possible memory corruption and/or sensitive information leakage to unauthorized users. You'd better fix bugs in your program. > Many programs can safely use assert to crash a program at runtime. > However, the prequisite is, the program cannot handle sensitive > information like user passwords, user keys or sensitive documents. > > High integrity software, like GMP and Nettle, cannot safely use an > assert to crash a program. To understand why the data flow must be > examined. First, when an assert fires, a SIGABRT is eventually sent to > the program on Unix and Linux > (http://pubs.opengroup.org/onlinepubs/009695399/functions/assert.html). > > Second, the SIGABRT terminates the process and can write a core file. That's the default behavior, but you can trap SIGABRT if you want. Of course, there is no guarantee because the memory may already be in an inconsistent state. > This is the first point of unwanted data egress. Sensitive information > like user passwords and keys can be written to the filesystem > unprotected. This can occur with any program, even not using asserts, e.g. due to a segmentation fault (which may happen as a consequence of not using asserts, with possibly worse consequences). If you don't want a core file, then you can instruct the kernel not to write a core file. See getrlimit. > Third, the dump is sometimes sent to an error reporting service like > Apple Crash Report, Android Crash Report, Ubuntu Apport, and Windows > Error Reporting. This is the second point of unwanted data egress. > Sensitive information can be sent to the error reporting service. The > platform provider like Apple, Google, Microsoft and Ubuntu gain access > to the sensitive information, in addition to the developer. If you don't like them, do not use these services. Not using asserts can also yield a crash, which will have the same consequences. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) _______________________________________________ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs
