undefined | Better HN

0 pointstptacek12y ago0 comments

Use-after-free bugs that are so blatant that they occur in normal use are rare, but real UAF bugs are discovered adversarially, and it is absolutely not simple to test them or, for that matter, avoid them.

0 comments

3 comments · 1 top-level

eropple12y ago· 2 in thread

I'd certainly agree that they certainly exist in the wild but I'm less convinced that they're particularly hard to avoid if you understand the lifecycles of what you're working on That browsers are a tough problem with a difficult-to-internalize object lifecycle and a bunch of edge cases makes this tougher, for sure; my stuff is games-focused and so, yeah, I have a relatively simple problem set.

But, all things considered I'd rather Somebody Else (because Somebody Else makes browsers, I don't) spend developer time making a fast system secure rather than running a slightly more secure system up against the hard walls imposed by any managed language one would care to name.

tptacekOP12y ago

Integer overflows, which require no mitigation other than getting a computer to count correctly, are extremely pernicious; they pop up even in systems that were deliberately coded defensively against them. There's an LP64 integer bug in qmail! And that's just for counting. Avoiding UAFs requires you to track and properly sequence every event in the lifecycle of an object --- and, in many C++ systems, also require you to count properly.

No, I don't think they're straightforward to avoid.

I think it seems straightforward to avoid memory lifecycle bugs because it's straightforward to avoid them under normal operating conditions. But attackers don't honor normal conditions; they deliberately force programs into states where events are happening in unexpected ordering and frequency.

I don't even know where to begin with the idea that it's acceptable to sacrifice a couple memory corruption vulnerabilities in the service of a faster browser.

eropple12y ago

> No, I don't think they're straightforward to avoid.

Fair enough, and you certainly have more experience on the topic than I do. Thanks for the explanation.

One quibble though, and maybe it was poor phrasing on my part:

> I don't even know where to begin with the idea that it's acceptable to sacrifice a couple memory corruption vulnerabilities in the service of a faster browser.

It's not really an either/or though, right? I mean, you can protect against some forms of attacks through a managed environment (though the environment itself adds its own attack surface). But you trade performance to get it. A managed language isn't going to solve all your problems, and it is going to mess with your performance in inconsistent and essentially intractable ways. I'm not saying "throw in a couple memory corruption vulnerabilities if it'll make it faster", I'm saying that you can fix memory corruption vulnerabilities. You can't fix inherently slow.

j / k navigate · click thread line to collapse