[SystemSafety] OpenSSL Bug

David MENTRÉ dmentre at linux-france.org
Fri Apr 11 21:59:13 CEST 2014 

Hello,

2014-04-11 18:07, Patrick Graydon:
> But some basic analyses, coding precautions, and testing of forms
> that were standard for other critical software decades ago doesn’t
> strike me as particularly unreasonable considering the massive
> potential for damage.

Except that safety critical software are designed for such analyses and 
testing, with the minimal set of needed functions in mind, coding made 
to make review and testing easier, etc.

Software like openSSL are not developed with this mind set, they have a 
lot of functions, some to answer new usages like this heartbeat feature 
or even marginal uses. This is precisely because they have so many 
features that they are preferred over others similar software like 
PolarSSL. In other words, functionality prevails over other criteria 
like correctness or security (to a certain extent, of course).

> In short, this was a predictable threat and a known form of attack
> and could have been prevented with techniques that were clearly
> warranted given what was known about risk.  There is zero excuse for
> not employing those techniques.

Yes, one could criticize the OpenSSL developers for not using preventive 
design and coding approach that would avoid catastrophic consequences, 
when such an expected issue occurs.

But one could also criticize Apple or Google, which do have a lot of 
money, to blindly use such library that are not properly designed. They 
have the money, they have the choice to use the software or not, why are 
they acting like this?

Like others have said on this list, those companies only care about ROI 
and money returned to owners and shareholders. They don't care at all 
about security[1] and safety, and such issues are going to occur over 
and over until states and laws force them not to do so.

And even if such companies are willing to take those issues seriously, 
making a complete assessment (with aeronautics or railway meaning) of 
complex software like OpenSSL is a major engineering task that nobody 
has even considered.

Additional comments regarding this thread:
  * I am among those that think that using a language like C that does 
no do basic bound checking on arrays (or forcing measures to check such 
accesses) is a major fault;

  * Some companies are proposing services to guarantee that an 
open-source library is immune to certain kind of defaults (in a 
restricted set of configurations) for software integrator, e.g. 
http://trust-in-soft.com/no-more-heartbleed/


Sincerely yours,
david

[1] I am not fair to Google in the heartblead case: the issue was 
independently identified by one of Google security researcher. But it 
took more that two years (December 2011 to April 2014) to find it.

More information about the systemsafety mailing list