TO-Tech Blog Todd Ogasawara’s Tech Blog

20May/082

Don’t Trust Automated Software Development Tools Too Much!

Technology Review's article...

Alarming Open-Source Security Holes: How a programming error introduced profound security vulnerabilities in millions of computer systems

...is alarming as-is. However, there is another issue I want to point out here. Note the last paragraph of the article's first web-page:

So how did the programmers make the mistake in the first place? Ironically, they were using an automated tool designed to catch the kinds of programming bugs that lead to security vulnerabilities. The tool, called Valgrind, discovered that the OpenSSL library was using a block of memory without initializing the memory to a known state--for example, setting the block's contents to be all zeros. Normally, it's a mistake to use memory without setting it to a known value. But in this case, that unknown state was being intentionally used by the OpenSSL library to help generate randomness.

I've never used it, but I'm sure Valgrind is a fine Open Source source code profiler. However, it is just that: A tool. It is meant to augment human work, not replace it completely. The end-result of trusting Valgrind to the extreme resulted in what appears to be a very very serious problem for many of us who use anything that uses the OpenSSL library (like SSH/SCP). Even worse, this problem has existed for two years now. And, there's more. The patch distributed doesn't correct the problem on systems that have deployed keys in the past two years based on the broken code. Ouch.

   
Skip to toolbar