lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 31 Dec 2018 13:34:05 -0500
From: Jeffrey Walton <noloader@...il.com>
To: BugTraq <bugtraq@...urityfocus.com>
Subject: Asserts considered harmful (or GMP spills its sensitive information)

The GMP library uses asserts to crash a program at runtime when
presented with data it did not anticipate. The library also ignores
user requests to remove asserts using Posix's -DNDEBUG. Asserts are a
debugging aide intended for developement, and using them in production
software ranges from questionable to insecure.

Many programs and libraries can safely use assert to crash a program
at runtime. However, the prequisite is, the program cannot handle
sensitive information like user passwords, user keys or sensitive
documents.

High integrity software, like GMP and Nettle, cannot safely use an
assert to crash a program. To understand why the data flow must be
examined. First, when an assert fires, abort() is called and a SIGABRT
is eventually sent to the program on Unix and Linux
(http://pubs.opengroup.org/onlinepubs/009695399/functions/assert.html).

Second, the SIGABRT terminates the process and can write a core file.
This is the first point of unwanted data egress. Sensitive information
like user passwords and keys can be written to the filesystem
unprotected.

Third, the dump is sometimes sent to an error reporting service like
Apple Crash Report, Android Crash Report, Ubuntu Apport, and Windows
Error Reporting. This is the second point of unwanted data egress. The
platform provider like Apple, Google, Microsoft or Ubuntu can gain
access to the sensitive information, in addition to the developer.

In fact, when one popular security library used in Bitcoin wallets was
apprised of the situation, they responded:

    The standard abort() call also produces somewhat useful
    error messages on Windows, so I can get an idea on what’s
    going on when users report these.

Another popular security library used for code signing remarked:

    Please never ever define NDEBUG. This is a severe misfeature
    of the assert macro.

Wow, change your passwords and keys after an asert fires...

Here's a small example of triggering an assert using the Nettle
library. Nettle depends on GMP, and GMP is the root cause of the
information leak. The result below can be reproduced on i686, x86_64,
and Aarch64 using the attached script. ARM A-32 does not work at the
moment due to GMP build errors.

In the case below Nettle is using benign data and not maliciously
crafted data. Notice GMP spilled the sensitive information during a
sliding window modular exponentiation (also see
https://gmplib.org/repo/gmp-6.1/file/tip/mpn/generic/sec_powm.c).

# from Nettle 'make check'
...
PASS: rsa-keygen
PASS: rsa-sec-decrypt
sec_powm.c:293: GNU MP assertion failed: enb >= windowsize
../run-tests: line 57: 24756 Aborted (core dumped) "$1" $testflags
FAIL: rsa-compute-root
PASS: dsa
...

View attachment "test-gmp.sh.txt" of type "text/plain" (925 bytes)

Powered by blists - more mailing lists