Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Math

Devs Working To Stop Go Math Error Bugging Crypto Software (theregister.co.uk) 73

Richard Chirgwin, writing for The Register: Consider this an item for the watch-list, rather than a reason to hit the panic button: a math error in the Go language could potentially affect cryptographic libraries. Security researcher Guido Vranken (who earlier this year fuzzed up some bugs in OpenVPN) found an exponentiation error in the Go math/big package. Big numbers -- particularly big primes -- are the foundation of cryptography. Vranken posted to the oss-sec mailing list that he found the potential issue during testing of a fuzzer he wrote that "compares the results of mathematical operations (addition, subtraction, multiplication, ...) across multiple bignum libraries." Vranken and Go developer Russ Cox agreed that the bug needs specific conditions to be manifest: "it only affects the case e = 1 with m != nil and a pre-allocated non-zero receiver."
This discussion has been archived. No new comments can be posted.

Devs Working To Stop Go Math Error Bugging Crypto Software

Comments Filter:
  • Very slim edge case (Score:1, Interesting)

    by Anonymous Coward
    The possibility of this manifesting in any meaningful way is about the same as Trump being elected to another term. In other words... move on, nothin' to see here.
    • Re: (Score:2, Insightful)

      A few months ago you would've told "The possibility [...] is about the same as Trump being elected." but it happened! Even if chances are low, it can still happens!

      • Ranges for Trump's election we're 2-33 percent a year and a month ago.

        I hope that's not the odds of this big coming up, that seems quite high.

        I'd actually put reelection at 25% personally.

        • by ShanghaiBill ( 739463 ) on Thursday November 23, 2017 @05:14PM (#55612607)

          I'd actually put reelection at 25% personally.

          I give him 50%. He is unpopular, and the election is the Democrat's to lose, but the Dems have an immense capacity for squandering opportunities and self-destructing. If they nominate someone like Elizabeth Warren or Chuck Schumer, I don't see how they are going to carry a single southern state (maybe Virginia), or win much of the Midwest.They can't win with just the coasts. That have to flip either Pennsylvania or Florida. If they can flip both, they win. Otherwise they also need to flip either Michigan or Wisconsin. That will be very hard with a coastal lefty, and there are few moderate Democrats with national stature.

          • I think the opportunities to flip these states are there. By then those Trump fans in these states are still waiting for America to become great again and getting their mining or stamping plant jobs back that Reagonomics killed in the 80s. I do agree that the Democrats in their current constellation have the unique quality to screw this up.
      • by gtall ( 79522 )

        Shit happens.

    • by Anonymous Coward on Thursday November 23, 2017 @03:50PM (#55612189)

      Congrats, you've managed to bring up Trump in a completely unrelated article. You guys are worse than Hitler.

      • That's literally what Slashdot has been since the election. Just a competition to see who can shoehorn the president into today's unrelated topic.

        It's really quite pathetic. But it shouldn't be surprising when you realize all the industry experts have left Slashdot and moved to Hacker News.

        No more John Carmack. No more Walter Bright (creator of D and dozens of compilers). They're all gone because the SNR of this site has gone from good, to parody.

      • by gtall ( 79522 )

        Really? Hitler whacked millions. Okay youse guys, how many have you whacked so we can run the numbers and get this Hitler accusation decided.

      • But Hitler has something to do with it? Politically and ideologically Trump and Hitler are the same. So what's your point? Cue the cricket sound.... That aside, sure, Trump has nothing to do with Go (as long as Go exclusively generates results that match Trumps alternate reality), but the commenter used it as an example. He should have picked something else, like the US qualifying for the World Cup.
    • by 93 Escort Wagon ( 326346 ) on Thursday November 23, 2017 @04:01PM (#55612251)

      I remember, years ago, hearing pretty much that same argument (excepting the Trump reference) when the first jpeg executable exploit was discovered.

      Once a flaw is known, it is a mistake to assume clever people won’t find a clever way to practically leverage it - no matter how obscure it seems at first glance.

    • by Anonymous Coward

      Trump is actually projected to win, so greater than 50%?

    • Re: (Score:3, Funny)

      Ain't karma a bitch?
      You laughed at us Iranians when we got ahmadi-nejad, TWICE. Who's laughing now?
    • Some other candidate: It only affects the case e = 1 with m != nil and a pre-allocated non-zero receiver.
      Trump: Didâ(TM)ya understand any of that? [laughter] Who needs that? [â¦] Me neither! [cheer and applause]

      Boom elected!

    • Same was said about the total disaster of a president: Reagan. Massive deficit spending, double digit unemployment, tax cuts only for the rich, almost starting a nuclear war...and yet he easily won a second term. We are at a point where either end of the spectrum rather votes for a groper and child molester as long as the candidate of the other side doesn't get in. As far as Go is concerned...how many more buggy and convoluted programming languages do we need? I'm not saying let's all go back and code excl
  • by Anonymous Coward

    Fuck you old people don't know your shit. Young rockstar coders need to reinvent your dinosaur wheels because you fucking suck.

    Lol whut r codez iz bugged?!!

  • by sconeu ( 64226 ) on Thursday November 23, 2017 @04:14PM (#55612309) Homepage Journal

    You have composed what may be the world's most incomprehensible headline!

    • by djbckr ( 673156 )

      You have composed what may be the world's most incomprehensible headline!

      Actually, he just copied the headline straight from the article (yes, I read it).

    • by Threni ( 635302 )

      Working to stop go...got it.

  • So why is this a Go only problem and not one across all languages?
    • Because only Go uses the Go math/big package, and the issue is with how the math is done in that package?

      • Except all libraries are derived from earlier work done in the computing field all the way back to when they had to wire computers manually and before that pen and paper.
        • by Anonymous Coward

          So why is this a Go only problem and not one across all languages?

          *snip*

          Except all libraries are derived from earlier work done in the computing field all the way back to when they had to wire computers manually and before that pen and paper.

          Remember kids, when you derive a new library for a new language, you still need to be capable of counting up to at least the same number as the old libraries can.

          Go just can't count that high and gives up trying when it gets just one number away from the finish line.

          From the article:
          Vranken and Go developer Russ Cox agreed that the bug needs specific conditions to be manifest: "it only affects the case e = 1 with m != nil and a pre-allocated non-zero receiver."
          That's expanded in the post, by way of ex

        • It isn't a flaw in math dumbshit. It's a flaw in the implementation.
    • Better question: Why are you on Slashdot when you could be reading Digg right now?
  • by swell ( 195815 ) <jabberwock@poetic.com> on Thursday November 23, 2017 @05:05PM (#55612565)

    Will someone pull Slashdot out of the Dark Ages?

    There was a time when it made (commercial) sense to capitalize every word in a headline. Yes, it made money for the hawkers of early newspapers. Big noisy obnoxious headlines made the news sound exciting and motivated people to spend a penny or a nickel.

    How does this mess of a headline make money for Slashdot. How does it make the headline readable? Exactly what are the benefits of this abuse of the language in the age of the internet?

    Wake up Slashdot. Look around- many publishers aren't living in the Dark Ages any more.

  • by mveloso ( 325617 ) on Thursday November 23, 2017 @10:11PM (#55613583)

    It behooves them to look deeper, because it's always unclear whether those bugs are intentional or not. The more preconditions there are the more likely the issue wasn't organic.

    • by Anonymous Coward

      Where there are no bugs, they're just hiding better. Works on real insects as well.

    • The more preconditions there are the more likely the issue wasn't organic.

      That may sound plausible if you've never looked at security issues; but if you actually look at the bugs behind security issues in more depth, it becomes obvious that such "lots of conditions need to be met" is pretty natural.

      In a well-reviewed and well-tested project (as Golang's math library certainly is), the "obvious stupid" bugs were caught and fixed in review or testing. So the kinds of bugs that manage to slip past this filte

    • I don't know where you learned to write software (if you did), but more conditions of any kind means more bugs are likely.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...