[Cryptech Tech] Roadmap & remarks about the opportunity of developing a secure TOR router on the Novena platform.

Joachim Strömbergson joachim at secworks.se
Wed Aug 6 11:46:50 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Bernd Paysan wrote:
> IMHO, that stuff is mostly a language problem: The C language has
> several mis- features which result in an unified stack, arrays not
> being first-class (which means functions don't know how big a buffer
> is unless explicitely passed as additional, unrelated parameter) and
> so on.  That's something that can be solved:
> 
> * The language must pass arrays as addr+len pairs to be able to
> perform checks - the only "pure" pointer without size maybe is the
> function pointer.
> 
> * Parameter stack, return stack and the stack for local buffers must
> be separated (different registers), and the language must have a
> native way to return more than one argument without resorting to
> pointers (which then opens up holes by writing something bigger into
> the pointer passed).
> 
> * The memory overwriting flaws are IMHO the most important to fix.
> The integer overflow stuff can be partly dealt with in hardware (trap
> on overflow for signed, trap on carry for unsigned), but not
> completely (sometimes you simply want the integers to wrap around and
> it's perfectly fine).
> 
> A high level language like Python can do a good job on the overflow
> side, but a low level language will have difficulites.  And the high
> level language eventually is implemented in the low level language,
> and some parts of the system have to use the low-level parts, so
> there's no way around having a low- level language that does at least
> the most important things right (buffers and stacks).

Good points though you _could_ do this (use specific HW features like
this) in C too, but you would have to use intrinsics and then work on
your code to make all dangerous uses of pointers, arrays etc use these
instead. And that will affect the compilation too.

But it is quite possible to take a core, for example OpenRISC (albeit it
has a fairly ugly ISA with delay slots etc) and add custom instructions,
rebuild the memory sub system (partitioning, W^X protection, specific
pointers, ...) to add security. Then, of course you need to modify the
SW system and the SW source code to use these functions. A lot of work
but doable and probably better than do a register based CPU core from
scratch.

Bernd has been working a long time with stack based processors and Forth
and building a custom Tor processor with a stack processor and forth
might also be possible.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJT4hWqAAoJEF3cfFQkIuyNhYwP/1N0GgGmLWkDW127Yi/wvKG9
jLYwYkoF9OaX7b4fRCOzzvichmga+go/3a3NeMSg4KnSzHeEWXzXro6FcrH0nWbk
mcyfYP3+MIJkHTY6ZzZbRa8VMJvWh/2wvLkjCll71DWEoONrTTo7dx/w3oYjU9o3
4gs/mlZdbDGwfV+KwU1NoELqSr5MBu8Ye4y7+RQ40s6fKWsVXLauN18T906UsDZf
R09f+ylLKe66Ou98CIZXZsu04zmyeFbaNtAzFbMbbUoevT+Mee7IprCmXOx4tFgP
kKU//x0jDoyk+4gW8JyIDRjUljz5behBtW2/zZeMhz4a5WSU1TAdU3lJY4tIq9MV
rHAujmz+8GjLQ6xVXXxBELFMQF65lyUdgAw9FfYMa58o+WHK0FmALb/TkEonB1Z5
ebLFXLeR3adEzF7dt8572H3eKEP99ygL8e7HmBWGHCaObOWHYDvU5MPB8I35Y2OU
3gCD9noDHlblc6Pi1dDb386h9sQAm/00fmhV9sobDbaKzpv3CHKkxV8IEWjuxlZx
3LOwTBLXykuWCu4v83dAnRqfrznoldp/eJalhdPIffzAKrEc7mX2EQoiMRE/HFWh
NJ8209+OnPL2E7Uz06NKlV/6t0lUK2/DpSmJNsrVhRKPK1bfMt2Vf57ukso+lcV4
FnxpoivPHYkVUc+dqwuT
=FGSH
-----END PGP SIGNATURE-----


More information about the Tech mailing list