oss-sec mailing list archives
Re: Asserts considered harmful (or GMP spills its sensitive information)
From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Mon, 31 Dec 2018 18:38:36 -0800
On Dec 31, 2018, at 11:38, Jeffrey Walton <noloader () gmail com> wrote: On Mon, Dec 31, 2018 at 2:16 PM Vincent Lefevre <vincent () vinc17 net <mailto:vincent () vinc17 net>> wrote:On 2018-12-31 13:03:27 -0500, Jeffrey Walton wrote:This is the first point of unwanted data egress. Sensitive information like user passwords and keys can be written to the filesystem unprotected.This can occur with any program, even not using asserts, e.g. due to a segmentation fault (which may happen as a consequence of not using asserts, with possibly worse consequences). If you don't want a core file, then you can instruct the kernel not to write a core file. See getrlimit.To play devil's advocate again, that strategy requires every user to have the knowledge. If RTFM was going to worked, It should have happened in the last 50 years or so. Refusing to process the data and failing the API call requires no knowledge on the user's part.
I don’t have a dog in this fight, but you referenced high integrity software (though I guess what is meant is confidentiality rather than integrity in this case) and then say we cannot rely on people to RTFM. While I don’t doubt there are users who will fail to understand the consequences of having core dumps enabled, this is just one of many ways to leak information in a non-hardened system. E.g. you can attach to the victim process with gdb/ptrace and simply read its memory, if the sysadmin has not blocked this with Yama or similar. Could you elaborate on the threat model you have in mind?
Current thread:
- Re: Asserts considered harmful (or GMP spills its sensitive information) Matthew Fernandez (Jan 01)
- Disabling ptrace (was Re: [oss-security] Asserts considered harmful (or GMP spills its sensitive information)) Niels Möller (Jan 01)
- Re: Disabling ptrace Jakub Wilk (Jan 02)
- Re: Disabling ptrace Niels Möller (Jan 02)
- Re: Disabling ptrace Jakub Wilk (Jan 02)
- <Possible follow-ups>
- Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 01)
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information) Simon McVittie (Jan 01)
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 01)
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 02)
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 02)
- Re: Re: Asserts considered harmful (or GMP spills its sensitive information) Simon McVittie (Jan 01)
- Disabling ptrace (was Re: [oss-security] Asserts considered harmful (or GMP spills its sensitive information)) Niels Möller (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Vincent Lefevre (Jan 01)
- Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 01)