1 |
On 04/14/2014 04:42 AM, Joshua Kinard wrote: |
2 |
> |
3 |
> So one of the side-discussions happening after Heartbleed was the fact that |
4 |
> OpenSSL has its own memory allocator code that effectively mitigates any C |
5 |
> library-provided exploit mitigations (as discussed on the openbsd-misc ML at |
6 |
> [1] and Ted Unangst's blogs at [2] and [3]). |
7 |
[snip good explanation] |
8 |
|
9 |
> It basically provides a secure memory area protected by guard pages for |
10 |
> sensitive data, like RSA private keys, so that if another Heartbleed-like |
11 |
> event occurs, things won't be as bad. Hopefully... |
12 |
|
13 |
http://lekkertech.net/akamai.txt |
14 |
|
15 |
> Is this something we want to look at adding to our openssl copy via an |
16 |
> optional USE flag (default off)? |
17 |
|
18 |
At this point in time I'd say we better wait for the storm to settle |
19 |
down - apparently the akamai patches are only fixing a small part of the |
20 |
problem. |
21 |
|
22 |
I don't have a strong opinion as I haven't had to think about the |
23 |
internals of crypto software in a while, but hastily adding |
24 |
not-well-reviewed code might not be the best strategy. |
25 |
|
26 |
Have fun, |
27 |
|
28 |
Patrick |