[oss-security] Asserts considered harmful (or GMP spills its sensitive information)

Matthew Fernandez matthew.fernandez at gmail.com
Tue Jan 1 02:38:36 UTC 2019


> On Dec 31, 2018, at 11:38, Jeffrey Walton <noloader at gmail.com> wrote:
> 
> On Mon, Dec 31, 2018 at 2:16 PM Vincent Lefevre <vincent at vinc17.net <mailto:vincent at vinc17.net>> wrote:
>> 
>> On 2018-12-31 13:03:27 -0500, Jeffrey Walton wrote:
> 
>>> This is the first point of unwanted data egress. Sensitive information
>>> like user passwords and keys can be written to the filesystem
>>> unprotected.
>> 
>> This can occur with any program, even not using asserts, e.g. due to
>> a segmentation fault (which may happen as a consequence of not using
>> asserts, with possibly worse consequences).
>> 
>> If you don't want a core file, then you can instruct the kernel not
>> to write a core file. See getrlimit.
> 
> To play devil's advocate again, that strategy requires every user to
> have the knowledge. If RTFM was going to worked, It should have
> happened in the last 50 years or so.
> 
> Refusing to process the data and failing the API call requires no
> knowledge on the user's part.

I don’t have a dog in this fight, but you referenced high integrity software (though I guess what is meant is confidentiality rather than integrity in this case) and then say we cannot rely on people to RTFM. While I don’t doubt there are users who will fail to understand the consequences of having core dumps enabled, this is just one of many ways to leak information in a non-hardened system. E.g. you can attach to the victim process with gdb/ptrace and simply read its memory, if the sysadmin has not blocked this with Yama or similar. Could you elaborate on the threat model you have in mind?


More information about the gmp-bugs mailing list