| 1 |
So one of the side-discussions happening after Heartbleed was the fact that |
| 2 |
OpenSSL has its own memory allocator code that effectively mitigates any C |
| 3 |
library-provided exploit mitigations (as discussed on the openbsd-misc ML at |
| 4 |
[1] and Ted Unangst's blogs at [2] and [3]). This is partially why there's |
| 5 |
so much "interesting" data to be sniffed from a server's memory via the |
| 6 |
heartbleed response packets -- that memory wasn't really initialized to |
| 7 |
random data or zero'd upon malloc(), nor garbage-collected upon free(). |
| 8 |
|
| 9 |
Taking place over on the openssl-users ML, someone from Akamai posted a new |
| 10 |
secure memory allocator patch[4][5] that they have been using in production |
| 11 |
for about a decade. That patch was cleaned up, diff'ed against |
| 12 |
openssl-1.0.1g, and posted to openssl-dev here: |
| 13 |
https://marc.info/?l=openssl-dev&m=139733477712798&q=p5 |
| 14 |
|
| 15 |
It basically provides a secure memory area protected by guard pages for |
| 16 |
sensitive data, like RSA private keys, so that if another Heartbleed-like |
| 17 |
event occurs, things won't be as bad. Hopefully... |
| 18 |
|
| 19 |
Is this something we want to look at adding to our openssl copy via an |
| 20 |
optional USE flag (default off)? |
| 21 |
|
| 22 |
Refs: |
| 23 |
1. http://marc.info/?l=openbsd-misc&m=139698608410938&w=2 |
| 24 |
2. http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf |
| 25 |
3. http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse |
| 26 |
4. http://marc.info/?l=openssl-users&m=139723710923076&w=2 |
| 27 |
5. http://marc.info/?l=openssl-users&m=139723972124003&w=2 |
| 28 |
|
| 29 |
-- |
| 30 |
Joshua Kinard |
| 31 |
Gentoo/MIPS |
| 32 |
kumba@g.o |
| 33 |
4096R/D25D95E3 2011-03-28 |
| 34 |
|
| 35 |
"The past tempts us, the present confuses us, the future frightens us. And |
| 36 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
| 37 |
|
| 38 |
--Emperor Turhan, Centauri Republic |
Archives