Enabling Secure Business Operations
« Stickam Users Spammed
Identity Theft - A Customer’s View »

Code Scanners and Security

Tim already posted about the Debian SSL flaw so I’ll let you read his take on it, but I wanted to bring some more information to the table.

Slashdot (of all places) has an excellent description of why the code was originally changed. The maintainer/developer had run valgrind on the code, and changed the code without thinking about it. It’s unclear who’s to blame here, we only have who checked in the code, not necessarily who changed it. However, this bug is a prime example of using “security” tools without knowing what you’re doing.

Valgrind looks for memory leaks and undefined memory usage. It’s not purely a security tool, but sometimes it’s used as one. Purify and flawfinder are others that I’ve seen used. These tools can show you how memory is used (or misused) in source code. Its these memory misuses that typically cause buffer overflows, so while it’s desirable to remove all “bad” code, it’s also desirable to understand why the code is bad or good.

Security folks aren’t always developers, and developers are almost never security folks. Get the two together to interpret the results of code scanners, it’ll make it a lot easier for you in the long run.

This entry was posted on Monday, May 19th, 2008 at 3:14 pm by Laura Raderman and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Code Scanners and Security”

  1. Peter Hesse Says:
    May 21st, 2008 at 1:30 pm

    Just thought I’d share the email I just received from Verisign:

    ******************************************************************************************

    Linux Operating System Security Flaws May Have Compromised Your Certificates.

    Replace Them Now at No Charge.
    ******************************************************************************************

    Dear Peter,

    We are writing to inform you of a recent exposed security flaw with certain versions of Linux so you may take immediate action and protect your site and your customers against any vulnerability. If you are not using Debian or one of its derivatives there is nothing you need to do.

    WHO IS IMPACTED AND WHY?

    For customers who used a Debian OS (or its derivatives) to generate a key pair used to request a certificate, that key pair (and the corresponding certificate) is vulnerable.

    This is due to a flaw in the Debian-specific random number generation that results in relatively predictable key pair values, making them highly exploitable.

    VeriSign’s trusted root and intermediate roots were not impacted by this incident.

    WHAT CAN YOU DO?

    If you are running Debian operating systems and derivatives (such as Ubuntu) released between September 17, 2006 and May 12, 2008 you should deploy a recently replaced Debian patch and revoke and replace all SSL and Code Signing certificates for which the keys were created on these operating systems. Debian has released a testing tool to confirm whether your certificates are affected. This tool and other useful information can be found here:

    http://lists.debian.org/debian-security-announce/2008/msg00152.html

    In addition, to ensure your site’s and your customers’ security, VeriSign is waiving the standard revoke and replace fee until June 30, 2008. To initiate the replacement process, please go to:

    http://www.verisign.com/ssl/current-ssl-customers/manage-ssl-certificates/index.html#revoke.

    FOR MORE INFORMATION.

    For additional information, please visit the VeriSign Support site at https://knowledge.verisign.com/support/ssl-certificates-support/index.html.

    Sincerely,

    Chris Babel

    Senior Vice President, SSL

    VeriSign, Inc.

Leave a Reply

Contact

Recent Posts

Archives

Categories

© Gemini Security Solutions, Inc. 2008. All Rights Reserved.       Privacy Policy