In the wake of a recent unexpected iOS update, researchers quickly discovered that the major flaw Apple intended to fix with the patch, was a problem inherent to the company’s entire SecureTransport platform, not just iOS. The platform is present in mobile going back to iOS 6, and it also occurs across a number of applications for desktop in OS X 10.9, The Verge noted on Feb. 24. The OS X version of the flaw remained unpatched as of that report, and software security experts were warning that exploits were already in the wild. Several researchers attempted to dissect the bug, determine its source and question how it had gone unnoticed, suggesting that testing or code review should have been able to catch what appeared to be a routine error.
Understanding the bug
The flaw occurred in a section of SecureTransport, which is used to handle SSL connections. It prevents the code from properly checking SSL certificates, meaning that anyone could perform an attack spoofing a secure website and potentially stealing information. The error stems from the fact that the instruction “goto fail” appears twice back-to-back. The first is part of an “if” statement, but the second isn’t conditional, which means that the code will always jump to the end from the second statement and “the signature verification will never fail“, researcher Adam Langley, who works for Google, noted in a blog post.
As other researchers noted, there are no situations in which two “goto” statements back-to-back would make any sense, suggesting that the error was either an accident – perhaps a problem with cutting and pasting – or a deliberate backdoor. Columbia University professor Steven Bellovin noted that, in fact, the compiler should have caught the error, although Cryptocat’s Nadim Kobeissi explained that the potentially less efficient design decision to use a series of “if” statements instead of “else if” statements made it possible for the error to slip past the compiler.
“Generally, when there is a security bug in a piece of code, it is the case that the programmer wrote the bug falsely thinking that they were contributing something positive to the code (this is what happens every time I am the source of a security vulnerability),” Kobeissi wrote before explaining that there was no logical explanation for the mistake other than an accident.
What is the effect?
Security experts such as CloudFlare’s Nick Sullivan quickly noted that man-in-the-middle attacks were already occurring in the wild. Since the error affects the underlying Apple SSL framework, OS X applications such as Safari, Calendar, Mail, FaceTime and Twitter are all affected, according to researcher Ashkan Soltani, who called the exploit “one of the most significant security vulnerabilities from a major company we’ve seen in a while,” in part because of the large user base affected. However, the flaw is considerably diminished by the fact that an attacker would most likely have to be within Wi-Fi distance of a target to take advantage of the SSL connection issue, The Verge reported.
“Man-in-the-middle attacks aren’t that easy to launch, and they don’t scale well,” Bellovin told the publication, which nonetheless advised readers to avoid public Wi-Fi for the time being.
How did the error happen?
Although ideally the error should have been caught by a compiler, both Langley and Kobeissi noted that this was not the case and, in fact, that the way the line is buried in the code means that the compiler’s failure to catch the error is not entirely surprising. Nonetheless, there might have been code review or testing procedures that would have caught the bug. Bellovin suggested that a look at a code coverage test should have revealed that the code after the second “goto fail” never ran in tests, signaling an error, although he also pointed out that the complexity of the code could have made it easy to overlook certain problems. This type of issue is often best caught with code review, Langley suggested.
“Code review can be effective against these sorts of bug,” he wrote. “Not just auditing, but review of each change as it goes in. I’ve no idea what the code review culture is like at Apple but I strongly believe that my colleagues … would have caught it had I slipped up like this.”
The real problem, though, may be a deeper systemic thing that can plague any company with a massive code base that’s endured several generations of changes, The Verge noted. One Apple insider told the publication that the OS X security framework has been adapted many times over various product cycles, which means that the focus was likely on other features, leaving SecureTransport largely untouched. Given the scale of Apple’s operation, even a relatively simple fix could easily elude detection – a problem other companies might need to consider.
“Out of all the million lines of code we run every day, this one happened to be printed twice, leading to a cascading failure through millions of machines,” The Verge’s Russell Brandom wrote. “For years, no one even noticed. As ecosystems get larger and more powerful, these failures are possible on an unprecedented scale. This time it happened to Apple, but it’s easy to imagine a similar bug slipping in at Google or Microsoft, and security engineers would have to hope that their auditing and reporting systems are good enough to catch it.”
While scale and complexity will always be challenges in catching such errors, companies can turn to tools designed to help with peer code review or static analysis. With additional source code analysis checks, the likelihood of catching an error like a single repeated line of code that spurs a major software security news story becomes substantially higher.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.