Date: Fri, 25 Apr 2014 15:38:46 -0600 From: Chad Perrin <code@apotheon.net> To: freebsd-security@freebsd.org Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <20140425213846.GC9479@glaze.hydra> In-Reply-To: <CAG5KPzwrXGB-2p37fAtcWTGvGKPt5uaoQ-dZ8BwkwtKt8aOG6w@mail.gmail.com> References: <86zjj9mivi.fsf@nine.des.no> <32060.1398457484@server1.tristatelogic.com> <CAG5KPzw_cOfFLX_kn=5DWAX%2Bz%2B9VeXuzo3Q8YekDJG37tDQ_wQ@mail.gmail.com> <36500.1398458797@critter.freebsd.dk> <CAG5KPzwrXGB-2p37fAtcWTGvGKPt5uaoQ-dZ8BwkwtKt8aOG6w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 25, 2014 at 09:52:25PM +0100, Ben Laurie wrote: > On 25 April 2014 21:46, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > > In message <CAG5KPzw_cOfFLX_kn=5DWAX+z+9VeXuzo3Q8YekDJG37tDQ_wQ@mail.gmail.com> > > , Ben Laurie writes: > >>On 25 April 2014 21:24, Ronald F. Guilmette <rfg@tristatelogic.com> wrote: > >>> Separately, a code example of the following general form was discussed: > >>> > >>> if (condition) variable = value1; > >>> if (!condition) variable = value2; > >>> use (variable); > >>> > > > >>One better answer would be to have a way to annotate that after the > >>two conditionals you assert that |variable| is initialised. Then a > >>future, smarter static analyzer can attempt to prove you wrong. > > > > The way you do that *IS* to assert that the variable is indeed > > set to something you can use. > > That only works if there's at least one illegal value, though. And you > know what it is :-) With the proposed initialization value of -1, you could at least assert that it is no longer -1, which at least indicates you have done *something* to it in your code -- which, I believe, solves the problem the code analyzer actually "intended" to point out, which is that it might be possible for a variable to be used without any value assigned to it (thus potentially reading garbage from a variable). > > > > If your "security" source code does not have at least 10% assert > > lines, you're not really serious about security. > > People get really pissed off when I put asserts into OpenSSL. > > Perhaps they'll have a different opinion now. . . . or maybe we'll all end up using LibreSSL in the not-to-distant future and it will not matter any longer (for some definition of "we" that does not include banks running "secure" software on VMS past its epoch). -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140425213846.GC9479>