Re: The Game

[Adam Shostack <adam () homeport org>]

On Mon, Jan 30, 2006 at 12:48:44PM -0500, Dave Aitel wrote:

| Adam Shostack won the award for best question at the keynote for ?And
| how exactly do you plan to scale up your process for analyzing all
| that source code you're collecting?? He's in some stealth-mode privacy
| company now.

Thanks Dave! :)

To be clear, though, I'm at a "stealth mode" source code analysis
company, and advising Debix, the privacy company that was handing out
t-shirts and access to their beta.

My question about scaling was actually more motivated by some stuff
I'm working on with MITRE than by the source code analysis hat.  The
big scary Federal issue that they're concerned about is not strcpy --
We're all reasonably confident we can find strcpys, do some slicing to
reduce 'false positives,' etc, but the worry about intentional and
subtle back doors.

For example, I did some analysis of a crypto implementation that
included DH.  There was no checking of exponent size, so if Alice sent
g^x=1, then Bob will calculate g^y*g^x (which equals g^y), and thus
you're accidentally sending your crypto key (or something closely
related to it) in the clear.  Now is that an intentional backdoor, or
an oversight?  I don't know, but I do know its a common problem.  Now
scale the need for this sort of analysis.

So, tounge firmly planted in cheek, I suggest we outsource the problem
to the KGB, who will cheaply tell us about most of the problems, and
keep a few in reserve for themselves.  Our overall security posture
improves. :)

Adam