Document our security limitations #845
Conversation
|
Test PASSed. |
|
Test FAILed. |
| uninitialized memory. | ||
|
|
||
| Python exposes no API for us to implement this reliably and as such most | ||
| software in Python is vulnerable to this attack. However we do not currently |
There was a problem hiding this comment.
Do we have anything we can point to as support for the assertion that it's probably not high risk? If not, should we expand on this a little bit?
There was a problem hiding this comment.
The CERT secure coding guidelines categorise an attacker gaining access to private data via swap and "reusable resources" as "unlikely" and "Low severity, unlikely, expensive to repair."
I'll add those references too :)
|
Test PASSed. |
|
Test PASSed. |
|
I'm mostly okay with this, but I'm wondering if we should mention that in general before we release memory we do call cleanup commands that typically zero it...? As currently phrased it sounds like any use of key material will result in keys leaking to uninitialized memory. |
|
How do you get the key into OpenSSL without first making a Python object which will never be memset_s'd or otherwise cleaned of it's contents before being released? I think currently we do always leak key material this way? |
|
Good point :) Presumably Python tends to reuse memory so most of the time Python will reclaim it for other uses within its own pid but that's only helpful for long-lived processes. |
|
I think we need to better articulate a threat model here. Particularly On Mon, Mar 24, 2014 at 5:28 AM, Paul Kehrer notifications@github.comwrote:
"I disapprove of what you say, but I will defend to the death your right to |
|
I'm not sure what you mean? The threat model is "software is bad." This is a thing you do to protect yourself from bad software. Not doing it doesn't immediately mean your system is broken, it just means that an attacker has an extra place to hunt for exploits. I think between the current wording and the references that's explained OK but if you have some suggestions I'll work on it :) |
|
I mean, what position does the attacker need to have to be able to exploit (Did I really just type "we need to balance how much we tell people the On Mon, Mar 24, 2014 at 8:05 AM, Alex Stapleton notifications@github.comwrote:
"I disapprove of what you say, but I will defend to the death your right to |
|
The attacker needs to be in the position of have some way of reading unitialized memory. That's all they need. This is a pervasive security problem and isn't at all unique to us but we do tell the user it's considered very low risk and unlikely to be exploited. I guess I could add something like "we consider this unlikely to effect most users as it requires multiple additional security failures to exploit"? |
|
I'll prefer "potentially vulnerable" instead of "vulnerable". I think the rest of the text is fine and has just enough information to be helpful without writing an entire thesis on memory wiping. |
|
That is a good suggestion :-) On 25 March 2014 06:22:51 Ayrx notifications@github.com wrote:
|
|
Test PASSed. |
| Python exposes no API for us to implement this reliably and as such almost all | ||
| software in Python is potentially vulnerable to this attack. However the | ||
| `CERT secure coding guidelines`_ consider this issue as "low severity, | ||
| unlikely, expensive to repair" and we do not consider this a high risk for most |
There was a problem hiding this comment.
Nitpicking at this point, but should it just say users instead of most users?
There was a problem hiding this comment.
It could be a risk for some users?
There was a problem hiding this comment.
I think "most users" is fine. Hey, unlikely as it may be there might be some use-cases where this is a potential high risk issue.
Document our security limitations
Alternative "fix" for #7.