
How I discovered CCS Injection Vulnerability (CVE-2014-0224) - rdtsc
http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html
======
userbinator
It seems odd that I haven't seen a full state diagram (including send/receive
packet details) for SSL, unlike e.g. TCP, since I think that having one,
either as part of the spec (which only contains a brief one for the handshake
sequence) or created from it before writing any code, would've made it much
more difficult to cause bugs like this. At least I've found state diagrams
very useful when working with protocols like this.

~~~
contingencies
Agreed. The sheer brilliance of clarity in the classic _TCP /IP Illustrated:
Volume 1 - The Protocols_ only becomes visible in hindsight. Anyone know if
the the LaTeX source for its diagrams are available? I have been able to
emulate them for the most part in _graphviz_ using _shape=record_ when
required, but wonder if that was the technique used.

(PS. Reading the above tome ~1999, I actually discovered numerous
specification flaws in the RFCs ... eg. for ARP and ICMP, that could be used
for remote OS detection.)

------
rdtsc
What is interesting is that the (core?) of OpenSSL was re-written in Coq
according to the author. Then the natural question can that representation be
used to generate C code from it and would that make a safer product.

~~~
hrjet
It seems like the author was able to discover the vulnerability while in the
process of specifying it in Coq (understanding the handshakes better during
specification).

From what I read the Coq specification itself wasn't complete or used to
discover the vulnerability.

Would be great if the author shed some light here.

~~~
ian-lewis
That seems correct. He discovered it while creating the coq specification but
coq wasn't itself used to discover the bug. He confirmed that much in this
podcast (It's in Japanese though):
[http://mozaic.fm/post/88061749963/4-security-
protocol](http://mozaic.fm/post/88061749963/4-security-protocol).

------
o_____________o
Okay, how many of you thought this said "CSS"?

~~~
acdanger
Mildly disappointed this was not about injecting arbitrary styles into sites.

~~~
skeletonjelly
> How I hacked HN using a CSS vulnerability to make it look like reddit. 4214
> comments 1 hour ago

------
bayonetz
It's funny, I just assume open source security oriented development would
follow far more rigorous testing and verification than it apparently does. I
guess it's no different from every other kind of development - testing and
verification are not the fun part. Human incentives being what they are, this
keeps playing out. Bounties are probably the only practical way to reverse
those incentives because making that cash makes testing and verification fun
again.

~~~
Alupis
Even at big shops... testing is not fun and not done as much as you'd [want
to] think.

~~~
jacquesm
Proposal: When something is completed according to the devs a bonus is posted.
For every vulnerability discovered by all the other devs in the company a
portion of the bonus gets paid out. If an 'x' period has passed and no
vulnerabilities have been discovered the remainder is paid out to the original
devs.

~~~
contingencies
Your proposal is interesting in an office dynamic sense, however I feel that
the problem is really time pressure, not a lack of quality pressure.
Additional carrot (financial reward) for programmers is always good, but
perhaps a more meaningful range of attacks would only be made by experienced
external consultants... and the size of the fund must then be large enough to
interest them.

For fun, I just duckduckwent 'make a game of it' and got some amusing
responses in the context of this suggestion.

 _Kids can make a game out of almost anything! See more about gross motor
activities, outdoor play and pool noodles._

 _Whatever you 'd like to improve about your life, try making it into a game.
Challenge yourself. Make up your own rules. Then play it to win._

 _When the family gets so big that you no longer can buy holiday gifts for
everyone, you have to find an alternative. For many, that turns the gift
exchange into a rousing game. "We used to buy for everyone and I enjoyed that,
but in the last couple of years, we had to face the fact ..._

 _I decided to put together my own Iron Rations and make a game of it. You are
welcome to play. I hope you have some helpful ideas to add to the stash. The
rules are: Everything must be shelf safe with an expiration date or best by
date of at least two years._

 _Principal Skinner: Oh, licking envelopes can be fun! All you have to do is
make a game of it. Bart: What kind of game? Principal Skinner: Well, for
example, you could see how many you could lick in an hour, then try to break
that record._

~~~
bayonetz
Perhaps but there are so many more actually fun "games" than testing your code
that you are again fighting natural incentives - people will pick the most fun
game when given the choice of many, yes?

~~~
contingencies
With reference to the parent's suggestion, 'winning' the game means getting
paid. Hence game theory :)

