From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 20:52:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0AD90EC1 for ; Fri, 25 Apr 2014 20:52:27 +0000 (UTC) Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com [IPv6:2607:f8b0:400d:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BE79A15CF for ; Fri, 25 Apr 2014 20:52:26 +0000 (UTC) Received: by mail-qa0-f52.google.com with SMTP id m5so2908107qaj.39 for ; Fri, 25 Apr 2014 13:52:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=sH6Bg5oME7DEEtsCmkNFgevaCPQQyqhIQ4Z0+qQOWXE=; b=xY3PxNgkiU3K7MWFiDS1xw6Ex9DR1ts8eTn47BxQ8iNyx3w8PxLu/PUQqdkmJwrMSI bis4az4rnbuRO/VPk4V2YRK+PoaDTSY8QT8fHgqNWDpYYmXJ7gDaTEycdeDwr5MU3qOr uHib9yr6E/cNDV/SjTIKXzg7iUPGCb46frOFAqNwDOcmDrWsTl1obGmXHX+q8Z26LefC uKfBff67S9eNEwrq+CgneXu1jX7bwz01Wasx9RLGr8+FZR3ykqdrwhlSpatfw0IsLbFB IDOIZyqIEDazqNzaGBcBm1ql5ehUPE2Myay+Za2kjG2SBAZYO33ySkVA/EgGa95Hjb46 ertw== MIME-Version: 1.0 X-Received: by 10.224.160.142 with SMTP id n14mr15142176qax.17.1398459145876; Fri, 25 Apr 2014 13:52:25 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.96.162.196 with HTTP; Fri, 25 Apr 2014 13:52:25 -0700 (PDT) In-Reply-To: <36500.1398458797@critter.freebsd.dk> References: <86zjj9mivi.fsf@nine.des.no> <32060.1398457484@server1.tristatelogic.com> <36500.1398458797@critter.freebsd.dk> Date: Fri, 25 Apr 2014 21:52:25 +0100 X-Google-Sender-Auth: C6LzNYgob4aaXfs8D8oe3d_0TDY Message-ID: Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? From: Ben Laurie To: Poul-Henning Kamp Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-security@freebsd.org security" , "Ronald F. Guilmette" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 20:52:27 -0000 On 25 April 2014 21:46, Poul-Henning Kamp wrote: > In message > , Ben Laurie writes: >>On 25 April 2014 21:24, Ronald F. Guilmette wrote: >>> Separately, a code example of the following general form was discussed: >>> >>> if (condition) variable = value1; >>> if (!condition) variable = value2; >>> use (variable); >>> > >>One better answer would be to have a way to annotate that after the >>two conditionals you assert that |variable| is initialised. Then a >>future, smarter static analyzer can attempt to prove you wrong. > > The way you do that *IS* to assert that the variable is indeed > set to something you can use. That only works if there's at least one illegal value, though. And you know what it is :-) > If your "security" source code does not have at least 10% assert > lines, you're not really serious about security. People get really pissed off when I put asserts into OpenSSL. Perhaps they'll have a different opinion now. > And of course, if you compile the asserts out for "production" > you are downright moronic about security :-) > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence.