[mSparks]

For me, Heartbleed was much much more than: ->At its core, Heartbleed was a simple bug, a missing buffer-length check

It was a catastrophic failure of a critical internet component that highlighted the truth that these supposed crypto security experts didnt have a clue.

We're talking about the kind of "simple bug" analogous to a television with bare wires as a power switch.

Imho it will take a lot more than a couple of years and a team change to reinspire faith in that brand of security. If we should at all.

[DasIch]

I think that's somewhat unfair. People make mistakes, that's unavoidable and shouldn't be seen as an issue. Instead of blaming people for making mistakes we should consider what we can learn. We need to identify which mistakes happened, why they happened and what measures we can take to make such mistakes impossible or unlikely in the future.

It turns out that the industry is really bad that problem. Many libraries and critical parts of the infrastructure are developed using languages and tools that don't just allow mistakes to happen that can be prevented but make it easy to make such mistakes. Crypto is affected by this but there are many other areas which are affected by this problem to.

There needs to be a move towards more constrained languages like Rust that limit the potential mistakes, better development processes that prevent bugs from passing through that can be caught by humans and tools for testing that make it possible to test for a wider range of problems and not just those developers anticipate to occur.

[dijit]

I see the same sentiment all the time here on HN.

"Just reimplement it in rust"

Well, why do you think openssl is so pervasive? It's everywhere and it's not due to marketing or ease of use or code quality.

It's because nobody in their right mind wants to implement a TLS library. Openssl itself was only conceived because the original author was teaching himself C.

[dom0]

Another facet is that full compatibility to OpenSSL is required on the internet.

Ten years ago plenty of projects were using alternative SSL implementations (eg Peter Gutmann's cryptlib), many of which had slight interop problems with OpenSSL (which one to blame is impossible to say). In turn many projects switched away from these libraries - they had to, interop issues making software unreliable are vexing for every user - and moved to OpenSSL.

OpenSSL will also often be the first implementation that has a new TLS feature, it's the internet's demo implementation. New optimizations in algorithms tend to land first in OpenSSL as well etc.

Today there are like ~four or five relevant TLS implementations, and only one is in widespread use on servers.

[my123]

Windows' crypt32 also matters, and has a much cleaner API compared to OpenSSL, with backwards compat.

[DasIch]

I'm mentioning Rust to make clear the direction I'd like things to go and because there isn't really an alternative that allows for similar reusability and is practical for developing cryptographic libraries. That being said there are also implementations of TLS in other languages like Haskell or OCaml, that also wouldn't be vulnerable to these kinds of issues.

I agree that this is a difficult problem but I don't think that's really the barrier here. AI is also difficult and there is no shortage of improvement in that area. The real problem isn't the difficulty of implementing a TLS library, the real problem is inertia and an unwillingness to change.

[duneroadrunner]

SaferCPlusPlus[1] is an easier option when starting from a C/C++ code base. It's also one of the faster options, but if people are willing to accept some performance cost, I think the easiest solution would probably be to "harden" the LLVM/gcc sanitizers so that they can be used in deployed builds, not just debug builds. The sanitizers don't catch everything, but pretty close it seems.

[1] shameless plug: https://github.com/duneroadrunner/SaferCPlusPlus

[nickpsecurity]

I'll add that SAFEcode and Softbound+CETS automatically make C programs memory-safe against lots of problems. There was also the Clay language that could've been updated. C0 is a subset that was easier to verify used in Verisoft's microkernel and apps. Rod Chapman found an error in reference implementation recoding it in SPARK Ada. So that could be used.

All kinds of things could solve the C-level problems or substitute with a C wrapper but nobody cares enough to do it.

[duneroadrunner]

SAFEcode and Softbound+CETS would be ideal, but seem to have a few problems in practice. First, the resulting executables are apparently quite slow. Like several times slower that executables compiled normally. The sanitizers are much faster, but even so the "address sanitizer" alone has a 2x performance cost. The other problem with SAFEcode and Softbound+CETS is that they don't always work. The TOR project tried to build firefox using them, but they couldn't successfully build it [1].

Perhaps nobody cared to address the C/C++ (memory) safety problems when the solutions required significant compromise. But the santizers are now (or could be with a little effort) a much more practical "no code modification required" solution than the previous options. And I think SaferCPlusPlus is now a more practical "some code modification required" solution than previous alternatives.

Maybe these new and improved choices will make a difference. We can dream, can't we? :)

[1] https://blog.torproject.org/category/tags/tbb-hardened

[pjmlp]

I doubt anyone in C community would turn them on anyway.

They even made the "security" annex optional in C11!

[duneroadrunner]

Well that's just it, use of the sanitizers is not up to the developers, it's a build-time option. The TOR guys have enabled them when building firefox[1]. But apparently some of their debugging features actually introduce potential vulnerabilities themselves so they're not really appropriate for deployed executables. Yet.

[1] https://blog.torproject.org/category/tags/tbb-hardened

[lmm]

There are options now though. My production services terminate SSL with a non-C implementation. (ocaml-ssl may be beta and unaudited but my judgement call is that I trust it more than any C implementation).

[whyever]

> There needs to be a move towards more constrained languages like Rust that limit the potential mistakes

It's happening: https://github.com/ctz/rustls

[sidlls]

Rust guarantees safety under certain conditions. That's it. It doesn't guarantee good design, bug free code, or code that never behaves badly. This is the kind of gratuitous maligning of code written in other languages that some Rust fans engage in that I find off-putting. Rust isn't The Solution To All Our Problems.

[pjmlp]

You are right, but any systems programming language that comes from the Algol or ML family doesn't suffer from "every line of code is a possible memory corruption" that C and its derivatives suffer from.

Rust or any other memory safe systems programming languages don't make all type of programming errors go away, but at least they make the memory corruption ones less likely to happen.

Also most of the C tools that help reduce memory corruption, if not hardware assisted like on SPARC v9 and Skylake, are mostly limited to having all source code available.

It feels like moving from Assembly to an higher level programming language.

[sidlls]

I mostly agree. However I have this prediction: if Rust gains popularity, then in 5-10 years (or perhaps fewer!) someone will be complaining about memory issues in a Rust library that is peppered with "unsafe" blocks that don't properly respect the safe/unsafe boundary contract.

Even the core under-the-hood Rust std library is a human-vetted set of unsafe code that the compiler simply cannot prove as much about as Safe Rust. Human-vetted things are prone to error, no matter how good the humans doing the vetting are.

[burntsushi]

> Even the core under-the-hood Rust std library is a human-vetted set of unsafe code that the compiler simply cannot prove as much about as Safe Rust. Human-vetted things are prone to error, no matter how good the humans doing the vetting are.

At some point, it has to be human vetted. I don't see another way. The key advantage is the ability to build safe abstractions from unsafe components.

Will people abuse unsafe? Absolutely. Is it a lot better than the alternatives? IMO, absolutely. :-)

In my own experience, unsafe is rarely needed. I've only ever used it for ffi and lightly in very performance critical areas of code. The regex library, for example, has almost no unsafe. Its only use is to get rid of bound checks inside the DFA's inner loop.

The most (non-ffi) unsafe I've ever used is in a snappy compression library, where most of it was a means to more efficiently shuffle bytes around without paying for memcpy (using unaligned 8 byte or 16 byte loads/stores).

There is a pretty strong tendency in the Rust community to avoid unsafe. Some libraries advertise themselves as having "no unsafe code" as a selling point precisely for the dangers you've hinted at: humans make mistakes.

[pjmlp]

Which is why on those languages most compilers have the option to turn unsafe blocks usage into compiler errors.

Which is something impossible in C, where even using plain vectors, strings or doing arithmetic requires unsafe code.

It is easier to vet lets say 10% of the code than 100%.

[DasIch]

If you work on real objects made of metal and wood with dangerous tools like chain saws. There are a variety of protective measures you can take like guards, clothing and so on. These things don't provide guarantees safety under all conditions, they don't guarantee good design, objects that have no mistakes or that will never behave badly when used.

And yet, despite all of that not using these protective measures is considered by every reasonable person as incredibly stupid and worthy of a darwin award. This goes so far that there are laws that regulate this.

Nevertheless somehow when it comes to software all of that goes out the window. There is risk to other peoples money, privacy and potentially their lives? Who gives a shit? It doesn't make everything a 100% safe so let's use decades old tools that are difficult to learn are horrible to work with, allow for a huge number of completely preventable mistakes to happen, that we know happen often.

In any other context people would never come up with such a criticism. It would be considered ridiculously stupid to the point that some might think you're being sarcastic and making a joke and once they discover they not, they'd ask if there are some mental problems that might require attention.

Rust and languages that go into that direction don't solve all our problems and that's completely irrelevant.

[mSparks]

Tell that to your bank manager when they make a mistake....

It is NOT the bug itself that is at issue here.

It is the "mistake" of an ENTIRE INDUSTRY relying on a security module with haphazard, proven flawed development process, and impenetrable code.

Then trying to pretend the exact opposite.

Unfair, attract me down votes - sure. True - without doubt.

[DasIch]

So? Nobody disagrees on the fact that there is a problem. Putting blame on people won't solve the problem. It will piss people off. People you want on your side, enthusiastically solving the problem. Your attitude is actually dangerous and counterproductive to solving the problem.

This toxic culture is a big part why we are in this mess. Who in their right mind would want to try work on OpenSSL to improve it while being called an idiot? Who'd be willing to stand up for the project as a representative? Speak out for the project?

[mSparks]

It's not a case of blaming. Its a case of choosing https://www.libressl.org/ or https://www.openssl.org/

Applying best practice development processes or Pretending someone else can do it all for you, and you can "bolt it on" at the end.

The article lists: Future plans and lessons learned: At the top of the list for future development is support for TLS 1.3.

Like adding yet another protocol to the already hacked mess of protocols is a "good" thing.

[DasIch]

LibreSSL is only better because it does less and much more human attention is wasted on producing bug free C code. That's an improvement but it's quite limited.

[cheiVia0]

The problem was bigger than that, basically no-one cares about their open source infrastructure and so it (including OpenSSL) is continually under-resourced.

[zeveb]

It's yet another in a long line of bugs due to C. It is, of course, possible to have bugs in every language. Even in a theoretical bug-free language it'd be possible to flawlessly implement a buggy algorithm or standard. But some languages make some sorts of bug difficult, and others make them easy: C is in the latter group.

I suspect that assembler for the primitives and a good, sane high-level language (Haskell? Caml? Lisp?) would yield far more secure software than C. There are issues with relocatable memory and zeroing of keys, but those are, I think, addressable at the implementation level.

[acqq]

I don't have an impression that any of the mentioned languages can provide reasonable alternative to the library written in C or the equivalently compatible language, and the only language that it appears to me to have a chance to have such an implementation could be Rust, but somehow even there it appears to be too hard to do so and/or too little commercial interest to make something "good enough" for the most of the potential users. The Rust community doesn't have to implement all the functionality of Open SSL, but if it would produce at least just a proof of concept (e.g. just a minimal set of algorithms) which would prove both the capability to achieve the same speed and the provably higher security, that would be, I think, a huge start.

That would mean not wrapping the whole OpenSSL library in Rust calls but having some as minimal as possible, the tightest of the tightest loops implemented in ASM and everything else in clean and "secure" (not downgraded to the C freedom) Rust which would also pass the benchmarks and be capable to be called "on the high level" from the C code to which that library could be linked (probably the Rust code would not use GC or if it would it would have to be some so simple and minimal one that it would work by eventually calling the C malloc for bigger blocks and cause no different delays than the good written C). Not easy but I think theoretically possible for Rust. Once it would be achieved, implementing other algorithms would be possible to be done by different people and organizations.

I guess in order to achieve these goals the language designers would have to directly decide to support them, but I'd be glad if the status is already different. But I really believe that would be a huge argument for Rust: being provably more secure than C and achieving ability to implement effective drop-in replacements for C security libraries. Is it too high a goal?

I don't know how far we are from something like that, but maybe some Rust insider can estimate? What's still missing and how far we are from the point where what I described would be possible to implement?

[nickpsecurity]

Already done in Ocaml for projects willing to use something other than OpenSSL:

https://github.com/mirleft/ocaml-tls

It's performance was within 80% or so of regular TLS with Ocaml's safety and easier verification. Quite a few components were purely functional, too. I've seen SML embedded in LISP's and PreScheme compiled to efficient C or ASM. So, that means a static LISP could handle it piggybacking on C compilers. Ivory embeds a subset of C in Haskell to keep things easy to analyze and automatically safe. Parts of a SSL library could use it.

http://ivorylang.org/ivory-introduction.html

So, Haskell, LISP, and ML are already capable of replacing our SSL libraries if people choose. One is already done in Ocaml. COGENT, if people apply it to this, will take it further by having an easier-to-verify implementation in functional language with certified compilation to C or assembly.

[pjmlp]

There is also the F* version, which can be made to target C via their KreMlin compiler.

https://project-everest.github.io/

https://fstarlang.github.io/general/2016/09/30/introducing-k...

Presented at this year's ICFP conference.

https://www.youtube.com/watch?v=sP7PRHn9iEA

[nickpsecurity]

I reposted your link on Lobste.rs. I noted that COGENT already was doing verified functional with certified translation to C or assembly. Also that F star to C seems to be Microsoft and INRIA's route. So, at least two projects are making it much easier to verify algorithms or protocols in functional way with C code resulting.

The other thing I noted is that most code meant for verification is designed to be easy for humans or machines. The F star and C is one of few that is easy for both. I rarely see that.

[pjmlp]

On the talk that they did, the guy from F* team mentioned that their goal was to be able to validate that the C code is correct and they can match 1:1 the language constructs, to allow for proper verification of the generated code.

[acqq]

Thanks, but which of those can be simply taken as the library linked to C code and called from the C code, and so that it doesn't depend on GC? Because as long as that step doesn't exist, it can't be used as the possible substitution for the current libraries?

[nickpsecurity]

Ocaml is only one that uses GC IIRC. Others produce C.

[acqq]

Links please? Any actual library produced and linkable, even with just one algorithm? I can't find it behind that Ivory link? Thanks!

Edit: also thanks for explaining the nature of the solutions you mention ("custom jobs").

[steveklabnik]

See https://crates.io/crates/ring , which is a fork of boringSSL, porting the C over to Rust. Endgame is 100% Rust and asm.

https://crates.io/crates/rustls is a TLS library built on top of ring.

[acqq]

Can it be used from C, e.g. C that statically links the library? Does it depend on the GC? What is the current speed? Thanks!

Edit: Re "just know they exist" (meaning libraries) in the answer: That's why I started the topic, the people who use only C wouldn't have chance to try the library unless the people who know enough Rust give something explicit that works and can be actually tested in linkability, functionality and speed.

[steveklabnik]

  > Does it depend on the GC?

Rust has no GC.

I am not sure about your other questions, as I haven't used them directly, I just know they exist. :) The former is possible, but I don't know if the authors have done any work on that.

[nickpsecurity]

They can even use a typed, assembly language if they want to have handwritten ASM and prove memory safety. Just no interest outside CompSci types.