From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 20:46:46 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BAC79CAB; Fri, 25 Apr 2014 20:46:46 +0000 (UTC) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 7E59614ED; Fri, 25 Apr 2014 20:46:46 +0000 (UTC) Received: from critter.freebsd.dk (unknown [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id 433841598; Fri, 25 Apr 2014 20:46:40 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.8/8.14.8) with ESMTP id s3PKkbRL036501; Fri, 25 Apr 2014 20:46:37 GMT (envelope-from phk@phk.freebsd.dk) To: Ben Laurie Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? In-reply-to: From: "Poul-Henning Kamp" References: <86zjj9mivi.fsf@nine.des.no> <32060.1398457484@server1.tristatelogic.com> Content-Type: text/plain; charset=ISO-8859-1 Date: Fri, 25 Apr 2014 20:46:37 +0000 Message-ID: <36500.1398458797@critter.freebsd.dk> Cc: "freebsd-security@freebsd.org security" , "Ronald F. Guilmette" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 20:46:46 -0000 In message , Ben Laurie writes: >On 25 April 2014 21:24, Ronald F. Guilmette wrote: >> Separately, a code example of the following general form was discussed: >> >> if (condition) variable = value1; >> if (!condition) variable = value2; >> use (variable); >> >One better answer would be to have a way to annotate that after the >two conditionals you assert that |variable| is initialised. Then a >future, smarter static analyzer can attempt to prove you wrong. The way you do that *IS* to assert that the variable is indeed set to something you can use. If your "security" source code does not have at least 10% assert lines, you're not really serious about security. And of course, if you compile the asserts out for "production" you are downright moronic about security :-) -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.