Underhanded Implementation of RC4
A runner-up in last year’s Underhanded C Contest was a flawed implementation of RC4 that eventually just passed plaintext through unencrypted. Plausibly deniable, and very clever.
The other winners are also clever.
Clive Robinson β’ June 20, 2008 8:38 AM
Not the only way to be underhanded with RC4 or any other stream cipher and Coding review bosses that do not know much about being sneeky π
I once wrote a stream cipher system that leaked the key in the parity bit of an ASCII Octet.
The main trick involved using a minor problem with most C compilers libs in that when you get memory for a buffer it almost never gets cleared befor or after use.
So if you have a sub in which you create a buffer to get/build the “key” in then before returning you free the buffer all looks well to most code reviewers…
However in most C compilers the lib implementation for memory heap handaling does not effect the memory contents (efficiency strikes at security again π
Therefore the original buffer contents stay in memory (heap) untill the programer either makes a mistake (freed memory reuse) or requests another piece of memory that is the same size or less than the original buffer size.
Therfore (easiest way) if you then ask for exactly the same amount of memory you get handed the same block of memory back with it’s contents unmodified.
Which means that as the original buffer held the “key” you have just passed it off by “sleight of hand” into another unrelated buffer (Opps 8)
The hard part was coming up with a convincing argument to modify the parity bit “randomly” that the code boss would swallow without question (hint show them lots of stuff on breaking LRNGs by examining the output and pointing out that the parity bit effectivly is known output from the stream generator)
Oh the reason for using the parity bit, most coders never check it, they just mask it off, therfore even when leaking the key it remained compatable with an older existing implementation (regresion testing can be a malware coders friend)…
The whole point of the excercise was to show to another party that unlike the coding bosses assertion proper “security reviews” where not the same as “code reviews” and one heck of a sight more important.