Warning message

Log in to add comments.

Security audits through reimplementation

Florian Weimer published on 2014-02-26T14:30:23+00:00, last updated 2014-02-26T14:30:23+00:00

For many networking protocols and file formats exist which interoperate with each other. Developing an implementation for a protocol or format diverges from previous implementations in subtle ways, at least initially. Such differences can uncover previously unnoticed corner cases which are not handled properly, and sometimes reveal security vulnerabilities.

For example, in the mid-90s, it was discovered that Samba's SMB client, smbclient, did not restrict user name length in the same way Windows does, so that you could crash Windows SMB file servers using the smbclient program.  (Microsoft fixed this around Service Pack 3 of Windows NT 4.0 in 1997, in the patch Q161830.)  Today, such issues would be considered security problems, but at the time, they were barriers to interoperability (and occurred in the other direction as well, when an unexpected reply from a Windows system crashed Samba).

In a sense, this is a form of fuzz testing with non-random input data. In fact, parsers implemented in a more declarative manner than sequential, imperative code can often be used as a template for very efficient fuzzers.

Similarly, porting from 32 bit to 64 bit exposes raw pointers used over the network.  Implementing strategies for network protocol parsers in C vary, but older code often uses (packed) structs.  If these include pointers, their sizes change, resulting in a fairly obvious interoperability failure.

Cryptographic misuse is revealed in a reimplementation as well.  A cursory look at the implementation of the kwallet encrypted password store for KDE suggests that it uses Blowfish in cipher-block-chaining (CBC) mode, with a random initialization vector.  This would be good news.  But when you try to implement an independent decoder outside of the KDE ecosystem, you will notice that you cannot actually decrypt the stored passwords using CBC mode.  Despite source code files called cbc.cc, kwallet does not actually chain cipher blocks, and uses Blowfish in electronic codebook mode, which, in combination with other issues, might make cryptanalysis of stored passwords feasible.  (To my knowledge, this case of misused cryptography was actually discovered in this manner several years ago, but reported privately and not fixed.  It was eventually rediscovered and assigned CVE-2013-7252.)

In short, every time you reimplement a protocol or file format and it causes an existing implementation to crash or enter an infinite loop, you may have discovered a security problem. In this case, please contact us.

English

About The Author

FW Red Hat

Florian Weimer