From owner-freebsd-security@FreeBSD.ORG Mon Apr 21 03:06:26 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C791FCCA for ; Mon, 21 Apr 2014 03:06:26 +0000 (UTC) Received: from pacha.mail.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7546312FD for ; Mon, 21 Apr 2014 03:06:25 +0000 (UTC) Received: from catnip.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) by pacha.mail.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id s3L36JhB020866; Mon, 21 Apr 2014 04:06:19 +0100 (BST) (envelope-from jamie@catnip.dyslexicfish.net) Received: (from jamie@localhost) by catnip.dyslexicfish.net (8.14.5/8.14.5/Submit) id s3L36JfU020865; Mon, 21 Apr 2014 04:06:19 +0100 (BST) (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201404210306.s3L36JfU020865@catnip.dyslexicfish.net> Date: Mon, 21 Apr 2014 04:06:19 +0100 To: hcoin@quietfountain.com, freebsd-security@freebsd.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org> <201404200548.s3K5mV7N055244@catnip.dyslexicfish.net> <53540307.1070708@quietfountain.com> <20140421000122.GS43976@funkthat.com> <53546795.9050304@quietfountain.com> In-Reply-To: <53546795.9050304@quietfountain.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (pacha.mail.dyslexicfish.net [91.109.5.35]); Mon, 21 Apr 2014 04:06:19 +0100 (BST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2014 03:06:26 -0000 "hcoin" wrote: > local variables) harms performance. It's also true doing both of these > things would not fix the flaw that 'opened the window' onto these data. > However it is true that doing so would make the exploit valueless as > 'opening a window' onto erased data would reveal nothing and could erase > trojan/virus 'hijack via code-injection then trampoline' opportunities. In the heartbleed case, was the bug returning stale freed memory, though? Couldn't it just as easily have been that the over-read was returning any other memory that the process has had allocated for other variables - data that was still in use? > If the variable stack and free() functions erased data spaces, there > would be no security value in having application edge malloc effectively > be calloc. Yeah. I had wrongly assumed that this was a throwback to more innocent days, and that these days, malloced space was effectively cleared by every sane OS, but due to backwards compatibility, the spec only defines calloc as acually clearing data, so you should never assume malloced memory was cleared, even though effectively it is these days. But Nathan and RW helpfully showed me where my reasoning failed! > There may be marginal security value in having OS edge free() erase data > before subsequent OS edge malloc of the same page to a process owed by a > different userid. Now this I don't get. Marginal? Surely in this case, this is a MUST. Otherwise we'd continually be getting local users getting data they shouldn't.... Every machine would be a 'heartbleed' for local users, even when running bug free code! I'd even extend this policy to different processes - even with the same id, because, of course, many daemons spawn children that deal with different connections simultaneously. (But of course in this case any leak would be down to bad programming if data leaks were discovered to be exploitable.) But yeah, surely if the UID (or more accurately, the EUID) were different but the data wasn't erased by the system prior to malloc, a leak would be unpreventable (unless, of course, the careful programmer never frees data, until he/she has erased it themselves beforehand. And who does that? > This entire discussion, (clear-on-free and > clear-stack-on-function-return) are resource heavy ways of managing > complexity. It is for the community to decide whether it is 'worth it' > on a case by case basis given there is no way to prove a program > 'correct' from a security perspective. I agree. More generally, all exploit busting mechanisms add to complexity and resources, whether it's DNS randomizing outgoing udp ports, or stack protection/pro police/canaries etc. You have to make a judgement call based between the protection of your software against speed, throwing into the equation the competence of your programming team! cheers, Jamie