Flaws in OpenSSL FIPS Object Module
Ed Gerck
edgerck at nma.com
Fri Dec 7 13:15:50 EST 2007
Peter Gutmann wrote:
> While it's possible to say "There's something we noticed
> here in the source code that requires the software to be ejected from the
> train", it's a bit harder to say "We spent three months reverse-engineering
> someone else's proprietary protected intellectual property and think we may
> have found something".
Peter cites an important difference. You may be able to see but you can't tell.
However, one can still easily reverse-engineer to find the vulnerability
and then present an exploit saying "There's something we noticed here when
the code is executed with this input...".
The conclusion holds that closed-source is now less of a reasonable argument
in terms of /protecting/ source code.
Software-as-a-Service (SaaS), though, would still work in terms of
protecting source code, though, as all you have is a "service oracle" that
does not necessarily reveal code details or flaws. SaaS could be supplied
remotely or locally, with a secure processor card or secure USB-processor.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list