Lessons Learned from Debian's OpenSSL Flaw

Russ Cox has posted about the recent flaw that was found in Debian's version of OpenSSL  and what programmers can learn from it. He posted:

Many people have had fingers pointed at them, but it is not really interesting who made the mistake: everyone makes mistakes. What's interesting is the situation that encouraged making the mistake and that made it possible not to notice it for almost two years.

To do that, you have to understand the code involved and the details of the bug; those require understanding a little bit about entropy and random number generators.

 After discussing entropy and some specifics about OpenSSL and Debian, Cox posted five lessons that we should take away from the mishap:

  • Try not to write clever code. Try to write well-organized code.
  • Inevitably, you will write clever, poorly-organized code. If someone comes along asking questions about it, use that as a sign that perhaps the code is probably too clever or not well enough organized. Rewrite it to be simpler and easier to understand.
  • Avoid voodoo code. Zeroing a variable multiple times, for example, doesn't affect correctness now, but it does make the code harder to understand and easier to break without noticing.
  • Mailing list discussions aren't a substitute for real code review. People respond to email when they're tired or on their way out the door. Code reviews are supposed to be thorough and considered. Showing a side-by-side file diff of the before and after versions of md_rand.c to an OpenSSL developer as a real code review would likely have turned up the mistake.
  • Distributions like Debian have to maintain their own copies of some programs at least temporarily. That's inevitable, because not all projects will run on Debian's time constraints. But I'm surprised there was no followup with the OpenSSL developers once the patch was created, trying to get them to accept it into the main tree. That could have provoked a code review too. Failing that, I'm surprised Debian doesn't have a guy whose job it is to understand OpenSSL and other security-critical bits of code and vet local changes in a formal process.

Lessons from the Debian/OpenSSL Fiasco - [research!rsc]

Originally posted on Mon May 26, 2008