Heartbleed soul-search: regulation proposed for critical crypto code
Was OpenSSL's memory management code a disaster waiting to happen? While Heartbleed is being blamed on buggy source code that was submitted shortly before midnight on 31 December 2011, a time not associated with good judgement, there are deeper concerns.
As pointed out by Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, in a post on Tuesday, OpenSSL doesn't use the standard memory management code supplied by the operating systems on which it runs — the function calls familiar to Unix and Linux developers, malloc() and free(), to allocate and free up memory respectively.
OpenSSL rolls its own memory management system.
"Definition of not awesome," said James Lyne, global head of security research with Sophos. Had OpenSSL been using the system-provided memory management, the odds that a memory exposure bug like Heartbleed would reveal private encryption keys would be "ridiculously lower", he said.
Malware researcher Jake Williams principal consultant at CSRgroup Computer Security Consultants, agreed. "Had the developers not been rolling their own memory allocation scheme, it's very likely that in some cases this may have caused some kind of [general protection fault or segmentation fault]. It may actually have been a denial of service bug in many cases, or it definitely would have been much more the luck of the draw [when] pulling private keys or private data."
The two researchers were speaking at the third Heartbleed briefing for the SANS Institute's Internet Storm Centre (ISC), held on Friday morning Australian time (Thursday afternoon US time). Lyne stepped back from the immediate issues of tackling the bug to reflect upon why this happened in the first place.
"When you actually go and look at this bug ... this compared to the majority of exploits that we have to go dig for today, with all the wonderful mitigations out there in modern operating systems, it's really easy to find, and really dumb. This shouldn't happen."
"This seems fundamentally wrong, at this point of use of this software, that we should be in a position where these kinds of things can happen."
Lyne said that he recognised that security was never 100 percent, and that all projects have bugs, but given the importance and widespread use of OpenSSL, it was possible to consider it as an example of "critical infrastructure".
"I mean this should be stuff that's taken seriously — regulated even — given the serious role that it plays in the internet," he said.
"And I think a lot of it comes back to this perception of the technology. We all let it slip into incredibly widespread use — sprawling and expanding into all these different places — with the perception that it's open source, therefore, as a black box, it's secure because other people are looking after it for me.
"It's the other people's problem."
Many people trust open source, simply on the basis that they expect that other people have looked at the code, Lyne said, but pointed to the lack of funding for OpenSSL as an problem with relying on the project.
"We're all depending on this really, really heavily, expecting them to do a great job, and yet actually they're desperately under-funded."
"I don't want to say that open source is bad. I'm a huge believer in the initiative, and what it can do for the quality of software.
"But a lot of people trust open source as secure because others are looking, but in reality this team has a reported budget for all of their work of less than a million dollars, and through the course of this week — which you'd think would be a fairly important week for them — they have received $841 of donations. Which is sad."
"There's a section on the site here that says, if you give more than, I think, it's $20,000, we'll put your logo on our home page. There are no logos. No-one is giving these guys money."
Lyne said that whenever he comes across self-rolled cryptographic code, it is "so unbelievably terrible that my soul hurts a little bit every time I look at it".
"There was a great quote today, someone said: 'Crypto people shouldn't be allowed to write software.' And someone retorted wonderfully with, 'Software engineers shouldn't be allowed to write crypto.' You guys should talk to each other."
Given this context, Lyne would doubtless consider de Raadt's view, "OpenSSL is not developed by a responsible team," overly harsh. But both would agree that something needs to be done.