Security References: Difference between revisions

From miki
Jump to navigation Jump to search
No edit summary
Line 3: Line 3:
* [http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Reflections on Trusting Trust] How does writing the C compiler in C bear on security issues? Well, it does (Ken Thompson, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763)
* [http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Reflections on Trusting Trust] How does writing the C compiler in C bear on security issues? Well, it does (Ken Thompson, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763)
** The idea is to hide a trojan code in the C compiler so that to inject a trojan code in eg. the <tt>login</tt> command code, and another trojan code so that to automatically re-inject itself when the C code is compiled with the infected compiler.
** The idea is to hide a trojan code in the C compiler so that to inject a trojan code in eg. the <tt>login</tt> command code, and another trojan code so that to automatically re-inject itself when the C code is compiled with the infected compiler.

== PKI ==
On trust model flaw in browser CAs:
* ''"it will CLEARLY not solve the browser security problem.", "the certifications made by even the best of those CAs are effectively MEANINGLESS" "the users are well trained to ignore EVERY browser warning they EVER get" "the ENTIRE question of OCSP is somewhat irrelevant." "spritzing the SKUNK with eau de cologne." "hanging garlands from the corpses ears."''' (Cfr mail '''A mighty fortress is our PKI, Part II''' (ventzi nikov, 2010 Jul 29 09:06)

Revision as of 09:12, 29 July 2010

Development

  • CWE/SANS TOP 25 Most Dangerous Programming Errors
  • Reflections on Trusting Trust How does writing the C compiler in C bear on security issues? Well, it does (Ken Thompson, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763)
    • The idea is to hide a trojan code in the C compiler so that to inject a trojan code in eg. the login command code, and another trojan code so that to automatically re-inject itself when the C code is compiled with the infected compiler.

PKI

On trust model flaw in browser CAs:

  • "it will CLEARLY not solve the browser security problem.", "the certifications made by even the best of those CAs are effectively MEANINGLESS" "the users are well trained to ignore EVERY browser warning they EVER get" "the ENTIRE question of OCSP is somewhat irrelevant." "spritzing the SKUNK with eau de cologne." "hanging garlands from the corpses ears."' (Cfr mail A mighty fortress is our PKI, Part II (ventzi nikov, 2010 Jul 29 09:06)