tags:

views:

111

answers:

2
+1  Q: 

Possible severe security vulnerabilities that could go unnoticed for a long time

I've been wondering about this for a while after reading through an interesting article a while ago (probably old news for some of you here) about a technique which one could use to introduce intrinsically hidden backdoors in compilers (article here). Another interesting article: (Did NSA Put a Secret Backdoor in New Encryption Standard?).

Which other methods can you think of that could threaten data security (in the broad sense) and could go unnoticed for a (very) long time?

I'm making this community wiki. Let the paranoia go!

+2  A: 

This may not be a complicated one, but doing an assign operation instead of a comparison could be a big hole that's easily overlooked:

if (userRole = "admin") { ... }

instead of:

if (userRole == "admin") { ... }

Lately, I've taken to putting my constant or literal as the first part of the conditional, like so:

if ("admin" == userRole) { ... }

So that if I ever mess up the comparison operator, the code will bomb right then and there during testing, instead of silently giving the user "admin" privileges.

Collin Allen  2009-07-13 23:15:40
I know for direct sources that "secure systems" now days don't depend on human code review. They depend on computer checked formal proofs of code correctness. The =/== issue won't fool them.
BCS  2009-07-14 02:44:12
Someone tried it deliberately but got caught: http://grouper.ieee.org/groups/scc38/1583/emailtg5/msg00005.html
Windows programmer  2009-07-14 05:41:13
+2  A: 

Having just seen a round of code fixing things like this, using an insufficiently secure random number generator is a great way to open yourself up to security vulnerabilities, and do so in a way that won't be detected until you're subject to a deliberate attack.

As an extreme example of this, consider the Debian openssl/ssh/etc vulnerability. That that went undetected for only just under two years is amazing - in something less wide-spread than Debian, I imagine it would lie buried for at least twice as long.

As a simpler example of something that's insecure, consider java.util.Random. This uses a very simple and very fast algorithm to go from one random number to the next, has only 48 bits of internal state, and if you ever generate a 64-bit number from it that you expose to the user, you've then exposed to the user all of your RNG's internal state. (A replacement for java programmers is the aptly named java.security.SecureRandom class)

Yes, in some sense it's "just" a matter of educating programmers to pay attention to when they're generating a security-sensitive random number and when they aren't, but you only need to miss one spot in your authentication-token code to really screw you.

Daniel Martin  2009-07-13 23:22:12

related questions

Java Compiler Options to produce .exe files.
Which compiles to faster code: "n * 3" or "n+(n*2)"?
profile-guided optimization (C)
Tools for converting non-Java into Java source
What's safe for a C++ plug-in system?
C++ Compiler Error C2371 - Redefinition of WCHAR
function declaration isn't a prototype
Learning Resources on Parsers, Interpreters, and Compilers
Compiler Error C2143 when using a struct
Which 4.x version of gcc should one use?
How to remove debug statements from production code in Java
.NET Compiler -- DEBUG vs. RELEASE
C on Visual Studio
What's a 'null defined macro'?
Warning: Found conflicts between different versions of the same dependent assembly
Mixed C++/CLI TypeLoadException Internal limitation: too many fields.
Bootstrapping a language
Checking for string contents? string Length Vs Empty String
What are the best resources on designing a new language?
Code crash in MS Visual Studio 2005 in RELEASE configuration
Invalid Resource File
C# logic order and compiler behavior
CSharpCodeProvider Compilation Performance
Learning to write a compiler
Adding Scripting functionality to .NET applications