

Should a security library log sensitive information? - chrismoos

I&#x27;m looking for some more input on an issue I have with an XML encryption library, Santuario. First off, love the library, but opened this issue and getting some resistance.<p>The library logs in DEBUG level decrypted content and I believe this should be removed and is a security concern. Can anyone give their insight?<p>https:&#x2F;&#x2F;issues.apache.org&#x2F;jira&#x2F;browse&#x2F;SANTUARIO-413<p>EDIT: Here is some more clarification on a use case:<p>To understand the concern please read the following example (let&#x27;s pretend its an app running on Android):
Security is all about layers – changing a log4j.properties file is orders of magnitude easier than reverse engineering a Java library and extracting an AES key that has been obfuscated before being placed in the code, for example. I&#x27;d prefer to stop people from seeing decrypted content just by modifying the log4j and changing it to DEBUG.
======
debacle
I'm not really sure it is a valid security concern. Putting any application in
debug mode is going to expose a lot of information (even decrypted) to users.
It's kind of assumed that you'll never be using debug mode in production.

A notification is warranted, though, "Hey you should probably not use this in
production."

------
Someone1234
In DEBUG level it is fine to log decrypted content, it is not a security
concern, and is quite welcome.

If you're using DEBUG level logging in production, that is the security
concern. The functionality isn't.

The argument "what if the bad guy can change the logging level?!" is pretty
weak, if such a person could change such a thing, they could also change a lot
of even worse things and likely make that just the tip of the iceberg.

Seems like your mental model of the security is a little off. If the system is
compromised your Java XML encryption library isn't going to save you, in
particular as you have to be storing the private keys on the same system.

~~~
chrismoos
My issue is with the application running somewhere like an Android app where
an attacker could easily change logging and see the sensitive information, as
opposed to having to do a more sophisticated attack to get to the decrypted
data (through finding out the key, patching class files, etc,.)

~~~
Someone1234
I've decompiled Android APKs before, it wasn't a big technical barrier. Just
extract the APK using any zip utility, use Dex2Jar, and then run this:
[http://jd.benow.ca](http://jd.benow.ca)

I certainly wouldn't patch class files. I'd just extract the private key, then
write a new Java application, utilise the same libraries, and point it at the
XML. Boom, decrypted.

Is changing a text file a little easier? Perhaps. But extracting the private
key is only slightly more work, and the benefits of being able to debug are
worth it since the security arguments are pretty weak borderline non-existent.

If you're really paranoid about this just hash log4j.properties and check it
on startup. Then crash out with "corrupted log4j.properties, please reinstall"
if it has been modified.

~~~
chrismoos
I've reverse engineered plenty of Android apps before and yeah, unpacking it
and seeing .class files is pretty straightforward. More sophisticated than
modifying a text file, but still pretty easy.

Extracting the private key though is not that easy if it is obfuscated well.
The key isn't just stored as a static variable and used as-is. I think the
overall thing I'm trying to explain is:

* There are different classes of attackers * Everything can be broken, but we want to stop as much people as we can * Layering security is a good thing * Is it really necessary to have the library log the information, as opposed to letting applications decide?

~~~
Someone1234
Fair enough. Did you see my point about just hashing log4j.properties's
contents? Since I assume you won't be modifying it after you publish as you
don't want debugging. As long as you check the hash before you decrypt any XML
this should solve your concerns.

In order for someone to then abuse the debugging functionality on Santuario
they would need to modify your APK which is frankly just as big of a barrier
as finding and pulling the private key(s).

~~~
chrismoos
It would be possible but not that straightforward, you can change how log4j
loads/finds properties file, for example, so it would be hard to enforce that.

Its pretty easy to unpack an APK, change log4j stuff to DEBUG, repack, and run
vs. unpacking APK, disassemble class files, go through files, find how key is
stored, routine for deobfuscation, etc,.

------
detaro
It's a concern, yes, but also useful functionality. Two examples from other
software: OpenSSH AFAIR logs every keystroke when in high enough log levels
(and accordingly warns that using DEBUG1-DEBUG3 log levels violates user
privacy). Postfix will log user passwords if asked to do so.

Having multiple levels of DEBUG like OpenSSH or extra options like postfix
probably is a good idea, and as is printing an explicit warning if started
with such log levels.

