Theo de Raadt <deraadt <at> cvs.openbsd.org> writes: > > So then a bug shows up which leaks the content of memory mishandled by > that layer. If the memoory had been properly returned via free, it > would likely have been handed to munmap, and triggered a daemon crash > instead of leaking your keys. >
So maybe you're right. Maybe we should all have these protections. I know glibc has some, but I don't think it just crashes out if you malloc(16) and read 65000 bytes. It will if you're at top of heap (should I say top of brk() to sound like I know what I'm talking about?) and hit an unmapped page; but the heap is one continuous mapped region, and you'll wind up all over it. So most of OpenSSL isn't run on OpenBSD. We have appliances that are vulnerable--FortiNet stuff, SonicWall stuff. Lots of RedHat, Fedora, CentOS, SuSE, Ubuntu, Debian, whatever machines. Basically everyone's vulnerable. This vulnerability would have been found if, before release of 1.0.1, someone would have taken a packet analyzer to OpenSSL and tried this. Regardless of your OpenBSD special memory allocation leak condom, a bunch of data coming back when you should see 4 bytes says "something is very wrong here". So we assume it wouldn't have been found. If we did anything to trigger the bug, it would crash on OpenBSD, in Theo's ideal world; as apparently nobody triggered the bug, it still would have not crashed on OpenBSD, in Theo's ideal world. (We'll pretend Theo's ideal world is limited to coding concerns in OpenSSL, and doesn't involve everyone running OpenBSD or an OpenBSD-like malloc() implementation.) The moment this went out, some blackhat may have secretly analyzed the diff between 1.0 and 1.0.1 and gone, "Oh lol!" Or maybe saw the new support for TLS Heartbeat and gone, "Hey man, a new feature. I bet I can break it!" Security researchers took until 1.0.1f to do this. Even ignoring the full disclosure, a responsible disclosure would have shifted distribution packages around immediately when the new code went up. Every distribution has a network of friends in every other distribution who are all hooking up with upstream developers so that they all know about security vulnerabilities before they're out. Every distribution packages a patched binary before upstream drops code. Every distribution is ready to throw that thing right up on the mirrors immediately, one second after the code release hits the upstream repositories. And several hours later, sysadmins start noticing there's a security update. Some of us patch immediately, in production. Some of us have to run through evaluation, risk analysis (this takes me, personally, between ten seconds and ten minutes), testing, then final roll-out. Some of us need an hour; some of us need weeks. We're already hours behind. Between blackhats maybe finding the bug and not saying anything, blackhats analyzing the bug between announcement and the sysadmin noticing, and blackhats analyzing the bug between sysadmins noticing and patching, you have this big window of "maybe we were hacked, and we have no real way to tell." Congratulations: your Chief Information Security Engineer is Schrödinger's Cat. Your keys may have been stolen. Or not. You can patch quickly, but then you assume nobody has stolen your keys in the first hour or twelve that the exploit became known. So, no. Even if OpenSSL were developed "responsibly" by the standards of Theo, 99.999% of everything would still be vulnerable. Hell, even with "Responsible Disclosure", our only reasonable response to this bug is to revoke and reissue 99.999% of all SSL certificates ever issued. And that's even considering just how much of a huge advantage responsible disclosure would have given us in terms of response time, as I've illustrated. This is not a situation where the programmers would have saved us all the headache by not tweaking away an OpenBSD protection. That was never a thing. Good PR for that protection--and maybe we should look at implementing it everywhere; I don't know, I don't understand it and thus can't analyze the risks or costs--but it's not something that, as a protection only available currently on OpenBSD, would have actually changed the situation. GMANE captcha: profiled
