
Golang heap corruption during garbage collection - __Joker
http://blog.stalkr.net/2013/06/golang-heap-corruption-during-garbage.html
======
tptacek
To be clear: this another attack where the attacker is writing malicious
Golang code and getting you to run it; ie, it's an attack that proposes Golang
be situated in the same place Javascript is.

Of course, in its normal configuration, Golang can simply run shell commands,
read/write files, &c.

It is still extremely valuable to understand how exploits like this are
constructed.

~~~
TylerE
To also be clear: This is a bigger deal than it might be due to the way Go
handles external dependencies. Github hacks might get nasty.

~~~
tptacek
What? How does that make sense? External dependencies, being themselves
standard Golang code, can _also_ run shell commands, read/write files, &c.

~~~
grey-area
Maybe referring to go packages having no metadata and being unsigned, so if a
github account was hacked and you used go get on a third party pkg you could
end up compiling unexpected exploit code into your binary?

~~~
obiterdictum
You simply do not use "go get" on 3rd party repos in production. It's not
different from pip or gem.

~~~
mwcampbell
At the risk of some controversy, I think that if Go's core developers are
serious about encouraging good software engineering, they should drop "go get"
(presumably in Go 2). It seems to me that subrepositories / submodules at the
version control level, with support for pinning, are the best way to manage
dependencies.

~~~
wtbob
> At the risk of some controversy, I think that if Go's core developers are
> serious about encouraging good software engineering, they should drop "go
> get" (presumably in Go 2). It seems to me that subrepositories / submodules
> at the version control level, with support for pinning, are the best way to
> manage dependencies.

That's how 'go get' _works_.

~~~
TylerE
No it doesn't, you can't request or pin a specific version. You just get
whatever is in HEAD when you pull.

~~~
wtbob
> No it doesn't, you can't request or pin a specific version. You just get
> whatever is in HEAD when you pull.

You get the dependency _at a version control level_ , at a known-good version
(because you pulled from the master branch) at the time you pulled, and after
that it's up to you to update it.

------
grey-area
It'd be interesting to know whether this sort of exploit would be possible
when targeting a web server as opposed to building a vulnerable go binary.
Perhaps fuzzing the Golang built-in web server would be a good exercise for
security researchers looking for a way to improve Go security.

There's a cute and slightly scary use of go playground to demonstrate the
exploit at the end of the article:

<http://play.golang.org/p/fOxl250j8w>

(no longer works as play.golang was patched).

~~~
tptacek
No, I don't think so.

~~~
grey-area
If you mean no to the first bit, that's reassuring. play.golang.org is
something of a special case as it tries to run code in a sandbox. I'd be more
interested in exploits which attack web server processes or db drivers with
malicious input as those are more likely to actually be used in the wild.

------
friendly_chap
*Go

~~~
rpsw
Golang is often preferred as it's much easier to search for and no need to
disambiguate between other things called Go (Chinese board game, 1999 film).

~~~
laumars
As well as the other similarly named programming language: Go! (
<http://en.wikipedia.org/wiki/Go!_(programming_language)> )

To be honest, I hate the name "Go" even for vocally conversing. It's such a
common term that the context is completely lost with verbal communication so
I'm often having to explain things in a long winded way. eg " _It's programmed
in Google's language named 'Go'_ ".

Google probably should have just released it as "Golang" from the start to
save a lot of trouble and confusion.

~~~
mseepgood
> As well as the other similarly named programming language: Go!

This language doesn't even have a home page or a download page.

