[Cryptography] [Crypto-practicum] Usable Security Based On Sufficient Endpoint-Specific Unpredictability

[Ralf Senderek]

On Sun, 11 Oct 2015 22:41:27 Ron Garret writes:

> Heartbleed didn’t work by malware obtaining root read access,
> it worked by taking advantage of a bug in some code running as root.
> The exploiting code wasn’t even running on the same machine.

Exactly. And that makes it the perfect example to show that for
a network attacker the disclosure of information he should never
be able to get read access to and running arbitrary code as UID 0
on the target machine is not the same thing and by no means
equivalent. This is all about a realistic threat model.

       --ralf