This project has moved. For the latest updates, please go here.

Function to download debugger from website

Topics: Technical Issues
Aug 7, 2014 at 5:13 AM
Edited Aug 7, 2014 at 5:14 AM
Hi ,
  1. Excellent work I just want to ask few specifc questions.
  2. Firstly. have the observations regarding truecrypt brought in the audit report at (https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf) addressed
  3. Secondly in your code a function IsApplicationInstalled() tries to install a debugger from (http://www.idrix.fr/Root/MSDebug/dbg_x86_6.11.1.404.msi). Under what conditions does it occur and why
Coordinator
Aug 7, 2014 at 5:57 PM
Hi,

Actually, the reason that was behind the birth of VeraCrypt more than a year ago was our discovery of the weakness of the derivation algorithm. So this was fixed in VeraCrypt long before the audit started. We also fixed an issue in RIPEMD160 implementation that was not discovered by the audit.
Concerning the 3 other medium vulnerabilities, the one concerning memset was fixed and the two others are still on hold.
If you look at git history of the source code, you'll notice that we have been busy fixing many security issues in the source code that are described by the audit projects but that were found by running static code analysis tools.
That being, we intend to take care of all the issues pointed out by the audit. For now, we are concentrating on making the MacOSX version available as soon as possible.

As for the debugger link, we replaced the original URL that was pointing to the TrueCrypt website but a URL on our website. This function tries to install the debugger if no debugger is detected and after asking the user for permission. Moreover, this function is only called if the user selects the menu "Help -> Analyze a System Crash".
I agree that this MSI can't be trusted : a better alternative would be to tell the user to install Microsoft Debugging Tools if we can't find a debugger.

Just a last remark : if the user uses a the Configuration.xml file in the portable mode, he can activate the detection of system crash (by default it's deactivated) and in this case VeraCrypt will see if any system crash happened in the last 10 minutes before it was started and if yes it will ask the user if he wants to analyze the crash dump.

Thank you for raising these points and don't hesitate to share any comments or remarks.

Cheers,