Monday February 24, 2014

Security Is Code Formatting

What a weekend. Apple released iOS 7.0.6 to plug a hole that let’s an attacker “capture or modify data in sessions protected by SSL/TLS”. Vague and ominous.

Then Adam Langley wrote up an excellent summary of the problem after code spelunking through the open source bits of iOS and OS X. W. T. F.

It’s all because of a goto statement that skips proper TLS verification under some circumstances. It was missed because of indentation that made it look like it was part of the if statement above. But because the if statement lacked curly braces, only the immediately following statement was covered by the conditional. The second goto always runs and skips the rest of the critical verification code. If an attacker knows how to cause this sequence of events, they have free reign with a man-in-the-middle attack.

<hindsight type=”shameless” scope=”20/20”>
Check brace-less conditionals and formatting, please. And write tests for security code wherever possible.

By the way, Golang’s code formatter would have enforced curly braces for these if statements and reformatted indentation to expose the lone goto automatically. Compiler enforced formatting rules for the win, eh?

For even more details, read Dave Farber’s write up of the situation.