Heartbleed was not the final straw for OpenBSD to create LibreSSL

Summary:Although a high profile bug, Heartbleed did not push OpenBSD to create LibreSSL, a custom memory allocator implementation did, said OpenBSD developer Bob Beck.

Although only 30 days into its push to create a drop-in replacement for OpenSSL, OpenBSD Foundation director Bob Beck provided a status update on the project at the BSDCan conference over the weekend.

At the core of the decision to fork OpenSSL, was not the heavily publicised Heartbleed bug , but a decision taken by the developers of OpenSSL to create their own custom memory allocator.

"Essentially, they decided malloc is slow on some platforms, so let's assume that malloc is slow everywhere," said Beck.

"Let's implement our own cache that never frees anything and just reuses the objects. Better yet, the way that it reuses objects is it keeps a last-in, first-out queue, so if you actually are doing a use-after-free, chances are excellent that that object is still there."

"Matter of fact, it's almost certain that if you free something and use it immediately, that thing is still there and it doesn't matter that you freed it."

Beck said that the custom allocator made Heartbleed "that much worse", and was a "very effective exploit mitigation technique countermeasure" as it "could not have been designed better" to make attacks hard to detect.

An OpenSSL feature to send the allocator into debugging mode by only needing to change a word of running memory, after which the allocator would log all data allocations, including contents, to a log file, came in for special attention.

"This isn't just a debugging malloc, it's a potential attack surface," Beck said.

Heartbleed itself, Beck said, was a pretty common bug, the sort that OpenBSD developers pick up all the time when they look at code not used to the way that OpenBSD's memory allocator works.

"Heartbleed was really not the final straw for us," he said. "This is not a unique situation in software development by any stretch of the imagination — it's just a rather high profile one."

The code base of OpenSSL did not lend itself to community involvement, Beck said, and it was a focus for the LibreSSL project.

"The code is seriously too horrible, it is your parents talking about where you got made kind of horrible," he said.

"I honestly think a lot of it is not necessarily deliberate incompetence or malice, it's just a case of the codebase starting to go that way and nobody put the time and effort in to fix it, and nobody had enough of a strong hand to say 'This can't stay this way'".

Earlier this year, OpenBSD revealed that unless CAD$150,000 were raised to pay its electricity bill, the project would have to cease operations — a week later, the project announced its funding goal was met .

Although not up to the pace of that previous fund-raising effort, LibreSSL and its "weaponised Comic Sans" web site have raised between CA$25,000 and CA$40,000 in its first month.

Beck said that the OpenBSD Foundation was looking for sponsorship to fund several developers to continue the rewrite effort, and help the ports team track and push changes upstream, without distracting from OpenBSD's other projects.

"We'd love to just do it, but we don't want to do it at the expense of usual resources, which are somewhat meager, to maintain OpenBSD, OpenSSH, and related stuff."

OpenBSD has approached the Linux Foundation for funding, but no response had been received yet.

"We've got a very good start on cleaning it up, it's certainly a lot better than it was a month ago," said Beck. "We know where we want to go with this, and we want to bring the rest of the community with us."

Topics: Security, Open Source

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.