IETF Logo Mail Archive

Re: [TLS] Heartbleed / protocol complexity

Watson Ladd <watsonbladd@gmail.com> Fri, 11 April 2014 02:24 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5BF1A000A for <tls@ietfa.amsl.com>; Thu, 10 Apr 2014 19:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3
X-Spam-Level: ***
X-Spam-Status: No, score=3 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MANGLED_BACK=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Ma9KCCZVR9J for <tls@ietfa.amsl.com>; Thu, 10 Apr 2014 19:24:50 -0700 (PDT)
Received: from mail-yh0-x22f.google.com (mail-yh0-x22f.google.com [IPv6:2607:f8b0:4002:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id A0CC51A0391 for <tls@ietf.org>; Thu, 10 Apr 2014 19:24:46 -0700 (PDT)
Received: by mail-yh0-f47.google.com with SMTP id 29so4755750yhl.34 for <tls@ietf.org>; Thu, 10 Apr 2014 19:24:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=8MXHXBZ+QnBe+MpzAPoysgntiAe4e4BGFm9mU/YUk/Q=; b=mdGfasR1/fzC3+ciFcIjMwmF4p1ifN0sePeaKJn9rA6cOneVhgg4+bIfiuofV/tIZ/ 7jLdRaWlr+imrSMrOOc+4zFHslsJSkMNdPbJYKLi+h5hszFlyF/V6fjGUB4ouRqEdFvj DnI9pZ37/44LirSSZ/BzmuWRgHGUkh4iRv0pXi21aEakR/mAXfp43BHVteaUjpF1adj7 4FOhzWz8wamrJfp76rH94IuJJwBNCDX/Y2rlwMchLMwSeA8rNIjMRT2lGwIjaKeJmIWD 6gbPcffiQjuvXy8R9DWnJNjQE/n+v5Lce2yQ3KCrKf/cU+UhpZk2RzfjcITIwNzj2a6b Tcbg==
MIME-Version: 1.0
X-Received: by 10.236.220.72 with SMTP id n68mr8662483yhp.102.1397183085385; Thu, 10 Apr 2014 19:24:45 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Thu, 10 Apr 2014 19:24:45 -0700 (PDT)
In-Reply-To: <20140411002030.6672532.52002.12768@certicom.com>
References: <20140409232505.0d6e02b8@hboeck.de> <CABkgnnX1hrEOmuorkx6st-0V4WAv4YQ9GjiWRtYQyeu6HTXLcA@mail.gmail.com> <5346E261.6070602@gmx.net> <20140411002030.6672532.52002.12768@certicom.com>
Date: Thu, 10 Apr 2014 19:24:45 -0700
Message-ID: <CACsn0ckUaN1KapigGfFxr6PsZjfiMZtD-nWqaAw71YfhPJAtxg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/v49UvEX2LACfIfsTIWGWmrQTTeI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Heartbleed / protocol complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Apr 2014 02:24:57 -0000

On Thu, Apr 10, 2014 at 5:20 PM, Dan Brown <dbrown@certicom.com> wrote:
> Could some test vectors have helped prevent this bug?

Systematically ensuring that all invalid length combinations would
have triggered an error would have worked. That's more than some test
vectors. Furthermore, it's not clear how you supply test vectors to a
protocol implementation: it can be done, and should be, but it is
quite a bit of work.

What could have mitigated this bug would be not disabling OS
protection measures in malloc. Had OpenSSL not used their own malloc,
then on OpenBSD the malloc flags "FGJZ" would have significantly
reduced the impact of the attack, and quite possibly crashed the
process if exploitation was tried. (OpenSSL has bugs that are only
found when you disable their own malloc wrapper, which is why they
didn't do it).

Various proposals for taint analysis in C have floated around for a
number of years. However, qmail demonstrates that one can write secure
C code without this assistance. Even a typedef int untrust len,
followed by a compiler that warns of aliasing and a perl script that
brings special attention onto casts from this type (okay, not so easy
to write: you need to track declarations) would have been useful.

Furthermore, there was no need to implement heartbeats over TLS for
web servers. The TLS wire format is a pain to parse, and you need to
handle it even after ending the handshake.

However, the fundamental problem isn't anything more than the
developers of OpenSSL being lackadaisical about security. Entire
multiuser operating system kernels (xv6 to be precise) can be fitted
into one fifth the code size of OpenSSL.  PolarSSL is one tenth the
size, and does the same job. miTLS does a much better job, is in a
high level language, costs 10x as much in computation time, and is
guaranteed to be correct. (It doesn't do X509 verification however,
and I don't believe side channels are reasoned about: both are fixable
without much more code).

Sincerely,
Watson Ladd

>
> Sent from my BlackBerry 10 smartphone on the Rogers network.
>   Original Message
> From: Hannes Tschofenig
> Sent: Thursday, April 10, 2014 7:55 PM
> To: Martin Thomson; Hanno Böck
> Cc: tls@ietf.org
> Subject: Re: [TLS] Heartbleed / protocol complexity
>
>
> Hi Hanno,
>
> I agree with Martin regarding your the statement about simplicity. We
> always try to make extensions as simple as possible. Questions that come
> to my mind are: Have you provided comments at the time when RFC 6520 was
> written? Have you helped to improve the OpenSSL implementation of RFC 6520?
>
> There is an underlying problem that needs to be addressed, namely that
> we produce specifications but once we are done with the specifications
> we (as an organization) don't seem to care about what happens
> afterwards. Someone there is the impression that the developer community
> implements our protocols quickly and in the way we want. Assuming the
> existence of code that is available to the public does not necessarily
> mean that it is bug-free.
>
> We have many examples of this behaviour throughout the IETF (i.e., there
> is nothing unique to TLS).
>
> In the past I had argued that we need to take the transition from the
> specification (paper) to the actual implementation a bit more serious
> but, unfortunately, I found very little support for it. Just to give you
> a pointer to my most recent write-up on this topic have a look at my
> STRINT paper: https://www.w3.org/2014/strint/papers/62.pdf
>
> Ciao
> Hannes
>
> On 04/09/2014 04:28 PM, Martin Thomson wrote:
>> On 9 April 2014 14:25, Hanno Böck <hanno@hboeck.de> wrote:
>>> If it is decided that a new extension is needed it
>>>   should be as simple as possible.
>>
>> That's a motherhood statement.  Yes, RFC 6520 could have been simpler,
>> but it does provide a valuable function.  The payload included.
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email