[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-hackers] On Hash Collisions (28C3)
|
From: |
Alan Post |
|
Subject: |
Re: [Chicken-hackers] On Hash Collisions (28C3) |
|
Date: |
Sun, 1 Jan 2012 10:57:33 -0700 |
On Sun, Jan 01, 2012 at 04:36:41PM +0100, Peter Bex wrote:
> On Sun, Jan 01, 2012 at 10:29:18AM -0500, John Cowan wrote:
> > Peter Bex scripsit:
> >
> > > Yes, and doing it in *every* *freaking* program. Including
> > > third-party libraries written long ago or by people assuming a sane
> > > srfi-69 implementation (or more likely, not having thought about it).
> >
> > Not at all. Only fixing programs that are exposed to potentially
> > malicious data, like HTTP request parameters.
>
> New attack vectors are discovered all the time. It's hard to predict in
> advance how someone is going to be able to abuse any given program.
> Again, it's better to fix it at the root (the library) than in each
> application.
>
The OpenBSD team made that same assumption: they don't know what
the attack vector is, so they'll fix insecure patterns. I think
by this point they've proven that interesting attack vectors do
emerge and that you can benefit from proactively addressing them.
-Alan
--
.i ma'a lo bradi cu penmi gi'e du
[Chicken-hackers] [PATCH] Proper fix for hash collision attack [Was: Re: On Hash Collisions (28C3)], Peter Bex, 2012/01/04