[Cryptography] "NSA-linked Cisco exploit poses bigger threat than previously thought"

alex at alten.org alex at alten.org
Wed Aug 24 03:20:08 EDT 2016


Quoting Peter Gutmann <pgut001 at cs.auckland.ac.nz>:

> Jerry Leichter <leichter at lrw.com> writes:
>
>> We've had safe programming languages for quite some time, but this kind of
>> code continues to be written in C.
>
> There's also the other problem, inspired by Ed Post's comment that "the
> determined Real Programmer can write FORTRAN programs in any language".  You
> can write insecure code in any language, it's just that C is everywhere, and
> in particular in mission-critical areas, so the problems are more visible.
> Look at Java for example, no buffer overflows and no pointers so it's got to
> be totally secure.  No-one has ever found an exploit involving Java, have
> they?
>

And OpenStack is written using Python and AWS is probably using Java.

Lately I've been deep diving into the intricacies of ROP exploits of  
x86/x86_64
OSes that can sidestep ASLR, no-execute stacks and heap pages, stack canaries,
etc.  My current work is to improve our security posture with ASA/Palo Alto/
Juniper firewalls, which is daunting given this latest news.

Sadly the newest ARM based OSes will be like Intel circa 2007, basically wide
open for exploitation. So there go smart phones, IoT appliances, cars, etc.

How the hell can we even protect even simple things like crypto keys or PRNGs
in the face of this onslaught?

All very depressing from a defense point of view.

- Alex




More information about the cryptography mailing list