guest

origins of libressl

While I still remember the timeline and before I get confused by outsiders trying to rewrite history, here’s the official unofficial history of libressl. If there’s any one person to blame for causing libressl to happen, I’d have to say that it’s me. That’s not to say it was my idea, just that I instigated. This is how it began; who knows how it ends?

Heartbleed is the obvious place to start, but at the time it was just another in a serious of annual catastrophic OpenSSL bugs. The ease and speed with which 20 different exploits showed up on github was a new twist, but the “drop everything, set your hair on fire, patch OpenSSL” mania was otherwise about par for the course. There was also the wrinkle that the bug was in a default activated feature used by zero people that one couldn’t disable without recompiling the whole library. That probably would have lead to a tightened review process for any further OpenSSL updates in order to avoid more poison slipping in, but not a fork.

Continue reading origins of libressl...

Posted 2014-04-22 14:10:40 by tedu Updated: 2014-04-22 14:10:40
Tagged: software thoughts

worst common denominator programming

The common way to approach software portability is to establish a baseline and then program to that least common denominator. The portability layers in OpenSSL, however, go way beyond least. This is a fully realized experiment in worst common denominator programming. Some examples.

strlcpy

Let’s start with a fair replacement. There are still some lesser operating systems that lack strlcpy, so including an implementation for them is reasonable. At least OPENSSL_strlcpy is a compatible implementation with the real strlcpy. Perfect example of least common denominator compatibility. (I have a strong preference for omitting the namespace prefix in cases like this, only including the replacement code when necessary, but it is what it is.)

Continue reading worst common denominator programming...

Posted 2014-04-22 07:34:04 by tedu Updated: 2014-04-22 07:34:04
Tagged: c programming

xenoanthropology

The last two issues of The New Yorker had a great series of articles on aspects of human culture. Stepping back and looking at ourselves as aliens, it can be hard to comprehend all the “others”.

Bus Ride takes the B46 through Brooklyn. The list of store names passed by is not to be missed.

The Barbarian Group throws a Superdesk Party, centered around the giant desk that weaves its way through their entire office. “You could have an epic game of Flip Cup, with, like, fifty people.”

This Is My Jail chronicles the conditions in Baltimore’s City Detention Center, its male inmates and their female guards, and the effective role reversals that brings about. It’s a long article, but after every paragraph I had the same thought. This must be happening on some other planet.

Continue reading xenoanthropology...

Posted 2014-04-20 19:05:50 by tedu Updated: 2014-04-20 19:05:50
Tagged: magreview

analysis of d2i_X509 reuse

A little while ago, Tavis Ormandy twitterated about an OpenSSL bug he reported. This didn’t sound good, so I took a look.

d2i_X509

Read the linked email for all the details and a test case. The short version is that X509 *d2i_X509(X509 **px, const unsigned char **in, int len); says you can reuse allocated memory, except when you can’t, but the failure mode isn’t pretty. Basically, there are three ways to call this function. With px == NULL, it will allocate and return memory. With *px == NULL it will allocate and return memory, and set px. With *px != NULL, it will use the memory provided. The bug is that if you choose door number three, it needs to be freshly allocated. You can’t reuse an existing structure, or it may lead to false cert validation.

Continue reading analysis of d2i_X509 reuse...

Posted 2014-04-18 15:06:37 by tedu Updated: 2014-04-22 05:05:58
Tagged: c programming security

snowden and putin have a chat

Snowden had a fall back question: ”Can it be conclusively proven that you’re not the greatest leader in human history?“” - steven_metz

Told Snowden Russia does NOT collect data of millions of citizens. Instead we collect the actual citizens. In camps. Long as they can work.” - ViktorInEnglish

I think the keyword there is “uncontrolled”. It’s totally controlled. They target everyone individually. It’s not “mass”” - thegrugq

Posted 2014-04-17 18:48:24 by tedu Updated: 2014-04-17 18:48:24
Tagged: politics quote

ten year reunions

The only thing better than remembering the past is reliving it.

Yellowcard released an acoustic version of Ocean Avenue last year to commemorate the ten year anniversary of the original release. Then they went on tour to promote, starting at the TLA. That was such a great idea that The Ataris launched a ten year “reunion” tour for So Long, Astoria (skipping the album part), which eventually came to TLA as well. Both shows were fun, in part for the same reason: they played the band’s breakout hit(s) in album sequence, instead of saving them for the encore. They didn’t play any new or old songs I didn’t like, or didn’t expect. Predictably enjoyable, enjoyably predictable. On a personal level, these two albums recapture the past in a way that VNV Nation albums like Futureperfect don’t. Then again, VNV Nation didn’t peak ten years ago (though Welcome the Night is great too).

Continue reading ten year reunions...

Posted 2014-04-17 04:59:49 by tedu Updated: 2014-04-20 02:46:03
Tagged: games moviereview music philly

please do not poke the bears

Instead, he seems to have seized an opportunity to poke a giant bear with a stick. The bear then ate him and his users.” - tptacek

Posted 2014-04-17 04:59:25 by tedu Updated: 2014-04-17 04:59:25
Tagged: politics quote

analysis of openssl freelist reuse

About two days ago, I was poking around with OpenSSL to find a way to mitigate Heartbleed. I soon discovered that in its default config, OpenSSL ships with exploit mitigation countermeasures, and when I disabled the countermeasures, OpenSSL stopped working entirely. That sounds pretty bad, but at the time I was too frustrated to go on. Last night I returned to the scene of the crime.

freelist

OpenSSL uses a custom freelist for connection buffers because long ago and far away, malloc was slow. Instead of telling people to find themselves a better malloc, OpenSSL incorporated a one-off LIFO freelist. You guessed it. OpenSSL misuses the LIFO freelist. In fact, the bug I’m about to describe can only exist and go unnoticed precisely because the freelist is LIFO.

Continue reading analysis of openssl freelist reuse...

Posted 2014-04-10 13:04:41 by tedu Updated: 2014-04-17 01:09:54
Tagged: c programming security

heartbleed vs malloc.conf

About two years ago, OpenSSL introduced a new feature that you’ve never used or even heard about until yesterday, after somebody discovered a bug that could be used to read process memory.

heartbleed

The main heartbleed site has a decent amount of information, but no detailed description of the bug. For that, read Diagnosis of the OpenSSL Heartbleed Bug. Here’s also a short pseudo version, for reference.

Continue reading heartbleed vs malloc.conf...

Posted 2014-04-08 18:36:16 by tedu Updated: 2014-04-10 13:52:22
Tagged: c openbsd security

are you now or have you ever been a homophobe?

It’s not surprising, but still disappointing, to learn that Brendan Eich was essentially dismissed as Mozilla CEO.

Whatever his personal views are, this was a great opportunity for Eich to prove that one’s personal and professional lives could be kept separate. That’s the kind of world I’d like to live in, a world where it doesn’t matter what you believe as long as it doesn’t affect your job performance. Instead, we’ve proven the opposite. If your activities outside of work don’t conform, out you go.

Eich would have been subject to serious scrutiny. Often people even overcompensate to prove they’re unbiased (though it’s hard to imagine what overcompensation would be in this case). But he was never given the chance. Now he’ll go back to whatever he was working on before, maybe making a javascript engine that doesn’t run gay javascript, but without as much public oversight.

Continue reading are you now or have you ever been a homophobe?...

Posted 2014-04-04 02:29:13 by tedu Updated: 2014-04-20 16:58:07
Tagged: politics thoughts