From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,8a4455177648cb9e X-Google-Attributes: gid103376,public From: nobody@REPLAY.COM (Anonymous) Subject: Re: Idea: Array Boundary Checks on Write Access Only Date: 1998/06/18 Message-ID: <199806181324.PAA23189@basement.replay.com>#1/1 X-Deja-AN: 363847246 Content-Transfer-Encoding: 7bit References: <35880D14.AC0243A@cl.cam.ac.uk> Content-Type: text/plain; charset=us-ascii Organization: Replay Associates, L.L.P. Mail-To-News-Contact: postmaster@nym.alias.net X-001: Replay may or may not approve of the content of this posting X-002: Report misuse of this automated service to X-URL: http://www.replay.com/remailer/ Newsgroups: comp.lang.ada Date: 1998-06-18T00:00:00+00:00 List-Id: <35851B64.5BF271C4@cl.cam.ac.uk> On Wed, 17 Jun 1998 18:38:12 +0000, Markus Kuhn wrote: [arguing for allowing array read checks to be turned off while retaining array write checks] > ... > There are no bug free systems but in many types of systems, some > modules (e.g., an encryption module that must not leak secret > keys) must be especially carefully reviewed, while the huge majority > of the system is much less critical. This some-modules-only > review makes only sense if there is a guarantee that no other > less pedantically reviewed code (user interface, etc.) can > accidentially or maliciously be caused to overwrite the internal data > structures of the critical module. > ... This example seems to disprove your argument. Let us assume a system with an encryption module that contains secret keys which must not leak, and some other, non-critical module. A formal analysis of the encryption module proves that it is error free. No analysis is done of the non-critical module. Array read checks are disabled for the system, but array write checks are retained. The absence of array read checks means that type T is array (Positive range 1 .. 10) of Integer; A : T; B : Integer; I : Integer; .. I := -10; .. B := A (I); will execute without raising an exception. B will be assigned the value of some storage prior to A in memory, interpreted as an Integer. I will call such an array read outside the array boundaries as a "wild read". The developer of the non-critical module is aware of the encryption module and interested in knowing what the actual secret key values are. To that end, he studies the memory layout of the executable to determine where in memory the secret keys are stored, and inserts wild reads into the non-critical module intended to read the secret keys. He is successful and is able to transfer money from other peoples' bank accounts into his own as a result. Thus we see that eliminating array index range checks only on array reads has been able to circumvent the safety of the encryption module, despite the formal analysis proving its correctness. Had read checks also been in effect, this could not have happened. Jeff Carter PGP:1024/440FBE21 My real e-mail address: ( carter @ innocon . com ) "Hello! Smelly English K...niggets." Monty Python & the Holy Grail Posted with Spam Hater - see http://www.compulink.co.uk/~net-services/spam/