[dns-operations] Robert Graham - A Quick Review of the BIND9 Code.
Mukund Sivaraman
muks at isc.org
Thu Jul 30 18:12:33 UTC 2015
On Thu, Jul 30, 2015 at 10:43:02AM -0700, Paul Vixie wrote:
> he's completely wrong about turning off assertions in
> production-compiled code, and in his comments about the performance
> requirements.
The recent CVEs have been about assertions we've been hitting in
production uses. Though we have decent test coverage and are
continuously adding more tests, even code that is covered isn't
exercised in every way it can be in production because of the numerous
behavioral states that can exist reacting to network conditions.
Such assertion failures show that they are required, but some are just
programming bugs which can exist in any codebase that changes over time.
Paul likely knows this, but for the sake of others: The assertions in
BIND 9 are mostly of two kinds, REQUIRE() and INSIST(). REQUIRE()s are a
design-by-contract style assertion that require some preconditions to
exist when calling into a function.
When an assertion fails, the process dies, but this design-by-contract
method has saved our skin from worse conditions in all these recent
vulnerabilities. named does an abort that it controls, and there is no
chance of privilege escalation or remote code execution. This is vastly
better than not having the assertions.
There is some discussion internally of changing _some_ things from
assertions to code that recovers, such as out of memory conditions so
that named continues in the face of trouble. But this is being argued
both ways, so it's unlikely to be changed.
C code is like a controlled nuclear reactor. We know how to control it
well, and it's necessary to have it in C for many reasons (let's not
even begin that flamewar), but rarely, things fall over and get fixed
very quickly. We have a managed security process, there's a decent
programming team behind BIND and it's continually improved and
maintained.
See what this survey says about BIND vs. other "high-impact" network
services:
https://github.com/linuxfoundation/cii-census/raw/master/OSS-2015-06-19.pdf
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150730/e1b80284/attachment.sig>
More information about the dns-operations
mailing list