lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Jul 29 20:52:26 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Cisco IOS Shellcode Presentation 

On Fri, 29 Jul 2005 08:29:35 -1000, Jason Coombs said:

> Precisely. And Lynn pointed out that Cisco routers use general purpose 
> CPUs -- therefore Cisco's own engineers chose purposefully to build a 
> vulnerable device.

All von Neumann architecture processors are equally vulnerable in theory. About
all you can do is fix the boot loader and early kernel code to emulate a
Harvard architecture (basically, 2 separate memory spaces, one for instructions
and one for code, and never the twain shall meet).  At that point, things are a
little better.

However, both von Neumann and Harvard systems are Turing-complete, and therefor
have innate theoretical limits (see the Turing Halting Problem for details, and
Fred Cohen showed over 20 years ago that the detection of malware is a
Turing-equivalent problem.

Your only perfect defense here is implementing all of it in a custom ASIC,
which in itself is insane - if a logic or timing bug is found, you're looking
at having to do a hardware replacement rather than just downloading a new
software load.  You can cut some of the pain with an FPGA, but that's still a
whole different league than a software solution.

You think debugging a BGP wedgie(*) is tough now, remember that even IOS is
able to do a small amount of introspection and tell you what's going on. That's
almost impossible with an ASIC or FPGA based solution...

(*) Yes, it's really called that.  Google for 'BGP Wedgie' if you don't believe me. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050729/ef6261af/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ