OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?

Fri Apr 25 21:38:55 UTC 2014

On Fri, Apr 25, 2014 at 09:52:25PM +0100, Ben Laurie wrote:
> On 25 April 2014 21:46, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
> > In message <CAG5KPzw_cOfFLX_kn=5DWAX+z+9VeXuzo3Q8YekDJG37tDQ_wQ at mail.gmail.com>
> > , Ben Laurie writes:
> >>On 25 April 2014 21:24, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> >>> Separately, a code example of the following general form was discussed:
> >>>
> >>>         if (condition) variable = value1;
> >>>         if (!condition) variable = value2;
> >>>         use (variable);
> >>>
> >
> >>One better answer would be to have a way to annotate that after the
> >>two conditionals you assert that |variable| is initialised. Then a
> >>future, smarter static analyzer can attempt to prove you wrong.
> >
> > The way you do that *IS* to assert that the variable is indeed
> > set to something you can use.
> 
> That only works if there's at least one illegal value, though. And you
> know what it is :-)

With the proposed initialization value of -1, you could at least assert
that it is no longer -1, which at least indicates you have done
*something* to it in your code -- which, I believe, solves the problem
the code analyzer actually "intended" to point out, which is that it
might be possible for a variable to be used without any value assigned
to it (thus potentially reading garbage from a variable).

> >
> > If your "security" source code does not have at least 10% assert
> > lines, you're not really serious about security.
> 
> People get really pissed off when I put asserts into OpenSSL.
> 
> Perhaps they'll have a different opinion now.

. . . or maybe we'll all end up using LibreSSL in the not-to-distant
future and it will not matter any longer (for some definition of "we"
that does not include banks running "secure" software on VMS past its
epoch).

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]