| 1 |
On 04/14/2014 04:42 AM, Joshua Kinard wrote: |
| 2 |
> |
| 3 |
> So one of the side-discussions happening after Heartbleed was the fact that |
| 4 |
> OpenSSL has its own memory allocator code that effectively mitigates any C |
| 5 |
> library-provided exploit mitigations (as discussed on the openbsd-misc ML at |
| 6 |
> [1] and Ted Unangst's blogs at [2] and [3]). |
| 7 |
[snip good explanation] |
| 8 |
|
| 9 |
> It basically provides a secure memory area protected by guard pages for |
| 10 |
> sensitive data, like RSA private keys, so that if another Heartbleed-like |
| 11 |
> event occurs, things won't be as bad. Hopefully... |
| 12 |
|
| 13 |
http://lekkertech.net/akamai.txt |
| 14 |
|
| 15 |
> Is this something we want to look at adding to our openssl copy via an |
| 16 |
> optional USE flag (default off)? |
| 17 |
|
| 18 |
At this point in time I'd say we better wait for the storm to settle |
| 19 |
down - apparently the akamai patches are only fixing a small part of the |
| 20 |
problem. |
| 21 |
|
| 22 |
I don't have a strong opinion as I haven't had to think about the |
| 23 |
internals of crypto software in a while, but hastily adding |
| 24 |
not-well-reviewed code might not be the best strategy. |
| 25 |
|
| 26 |
Have fun, |
| 27 |
|
| 28 |
Patrick |
Archives