lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Dec 2006 02:39:56 -0500 (EST)
From: Jay Sulzberger <jays@...ix.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Discuss-gnuradio] VT receives NSF grant for
	SDR security (fwd)



---------- Forwarded message ----------
  Date: Tue, 19 Dec 2006 10:24:44 -0500
  From: David P. Reed <dpreed@...d.com>
  To: discuss-gnuradio@....org
  Subject: Re: [Discuss-gnuradio] VT receives NSF grant for SDR security

  Greg - I think the concept of "software defined radio" being explored by the VT
  folks is a concept I persoally refer to as "crippled software radio".

  It is based on a discredited theory of "security" that was called a "secure
  kernel" when I was a student 30 years ago.  In other words - that there is a
  small, well-defined portion of a system that can be certified separately from
  the rest of the system, which has the essential property that its *correct*
  operation *guarantees* that the entire system will be secure according to *all
  possible interpretations* of the word secure.

  I worked on a project of this sort, and am currently ashamed that I helped
  perpetuate that charade.   I can only say that many others helped - it funded
  lots of work on "proving programs correct" - on the theory that it was feasible
  to prove small programs correct, and thus whole systems "secure".

  The big lie, of course, is that the researchers essentially redefined the word
  "secure" to mean the trivial notion of security that you couldn't compromise
  the "kernel".   Of course today we stare the fraudulence of that idea in the
  face: phishing, XSS, and other very dangerous attacks do not depend one whit on
  a failure to secure a "kernel" of the operating system, or even the "kernel" of
  a router.

  Yet the idea that incorrectness is the same thing as insecurity persists in
  such ideas as the idea that you need "hardware inegrity" to prevent attacks on
  radio systems.

  I suggest that it is impossible to carry on a dialog with folks like the VT
  researchers, because they must necessarily buy into the "certification of
  correctness" notion of security.    If they were concerned with "correctness"
  that would be fine - we could carry out a meaningful discussion about the
  difficulty of determining correctness in a system that is inherently focusing
  on getting reliable communications through unreliable channels (information
  theory).   But since they play to the gods of deterministic correctness -
  unreliability doesn't fit in their notion of "security" - they cannot even
  consider the idea that there is no "kernel" that can be certified to reduce
  risk.



  _______________________________________________
  Discuss-gnuradio mailing list
  Discuss-gnuradio@....org
  http://lists.gnu.org/mailman/listinfo/discuss-gnuradio


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists