From owner-freebsd-security@FreeBSD.ORG  Fri Apr 25 20:46:46 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id BAC79CAB;
 Fri, 25 Apr 2014 20:46:46 +0000 (UTC)
Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222])
 by mx1.freebsd.org (Postfix) with ESMTP id 7E59614ED;
 Fri, 25 Apr 2014 20:46:46 +0000 (UTC)
Received: from critter.freebsd.dk (unknown [192.168.61.3])
 by phk.freebsd.dk (Postfix) with ESMTP id 433841598;
 Fri, 25 Apr 2014 20:46:40 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
 by critter.freebsd.dk (8.14.8/8.14.8) with ESMTP id s3PKkbRL036501;
 Fri, 25 Apr 2014 20:46:37 GMT (envelope-from phk@phk.freebsd.dk)
To: Ben Laurie <benl@freebsd.org>
Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
In-reply-to: <CAG5KPzw_cOfFLX_kn=5DWAX+z+9VeXuzo3Q8YekDJG37tDQ_wQ@mail.gmail.com>
From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
References: <86zjj9mivi.fsf@nine.des.no>
 <32060.1398457484@server1.tristatelogic.com>
 <CAG5KPzw_cOfFLX_kn=5DWAX+z+9VeXuzo3Q8YekDJG37tDQ_wQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Date: Fri, 25 Apr 2014 20:46:37 +0000
Message-ID: <36500.1398458797@critter.freebsd.dk>
Cc: "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>,
 "Ronald F. Guilmette" <rfg@tristatelogic.com>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 20:46:46 -0000

In message <CAG5KPzw_cOfFLX_kn=5DWAX+z+9VeXuzo3Q8YekDJG37tDQ_wQ@mail.gmail.com>
, Ben Laurie writes:
>On 25 April 2014 21:24, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
>> Separately, a code example of the following general form was discussed:
>>
>>         if (condition) variable = value1;
>>         if (!condition) variable = value2;
>>         use (variable);
>>

>One better answer would be to have a way to annotate that after the
>two conditionals you assert that |variable| is initialised. Then a
>future, smarter static analyzer can attempt to prove you wrong.

The way you do that *IS* to assert that the variable is indeed
set to something you can use.

If your "security" source code does not have at least 10% assert
lines, you're not really serious about security.

And of course, if you compile the asserts out for "production"
you are downright moronic about security :-)

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.