by Cesare Rocchi

It's not C, it's the API

by Cesare Rocchi


I’d like to order 10 pizzas”.

We have dough just for 5 pizzas, so we are gonna send you 5 pizzas plus a bunch of private data about other users that ordered pizza tonight”.

This is, in a very simplified way, the flaw behind Heartbleed. XKCD explained it even better, in slightly more technical way.

In my opinion the bug (which was introduced in this commit if you are interested) is not simply due to the code. Sure, as suggested in this advisory, the way to fix it is to change the code by implementing a bound check, but what I see it as a design flaw in the API. Notice that the client, when requesting data, wants a reply of a given length. Meg (the client) should never be able to specify the length of the response in the question.

When you call a 3rd party API exposed via HTTP you can ask “give me the last 10 posts of user X” but implicitly you are asking “if the posts are less than 10 give me those you have”. There is no server that, in case posts are fewer, fills the response up to 10 with someone else’s posts, unless the server guys are on drugs.

There has been an interesting discussion between Brent Simmons and Mark Bernstein.

My argument is that bugs like Heartbleed should be prevented by a better design of the APIs, regardless of the programming language.

Hit me on Twitter or I’d really like to know your opinion.