Comments on: Blackhat USA 2007 (Presentation Material) http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/ Continued ramblings on software security and code auditing Tue, 07 Sep 2010 11:03:11 +0000 http://wordpress.org/?v=2.0.5 by: jm http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3696 Wed, 22 Aug 2007 21:23:00 +0000 http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3696 Youre the one with the negative attitude; Im the one with the negative memcpys. - Mark Dowd, Internet Hero Youre the one with the negative attitude; Im the one with the negative memcpys.

- Mark Dowd, Internet Hero

]]> by: mark http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3458 Thu, 09 Aug 2007 23:53:00 +0000 http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3458 Assuming we get to do a 2nd edition, we will most certainly include this stuff (and more) Assuming we get to do a 2nd edition, we will most certainly include this stuff (and more)

]]> by: forever.b0rked http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3454 Thu, 09 Aug 2007 20:00:00 +0000 http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3454 Any chance well see similar material in the new edition of the book? Any chance well see similar material in the new edition of the book?

]]> by: jm http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3429 Wed, 08 Aug 2007 11:10:00 +0000 http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3429 Saad! Wow, its literally been like 10 years! Hope things find you well. :> If Im reading your question right, then, no, we havent personally done much original research into the issues that tend to affect object oriented code in the sort of mobile threat environment. Those kinds of issues are definitely pretty cool, as they can get pretty creative, but I can only recall a couple of auditing projects off-hand where those kinds of language/run-time level security controls were ultimately relevant to the overall system security. That said, I didnt do a whole lot of embedded / cell phone software review, and didnt encounter Java applets or similar client-side code very much in my travels. Im trying to think of situations where Im wrong, but all I can come up with is maybe QTJava, or maybe logic bugs related to the use of reflection based on user input in frameworks like struts. Anyway, last time I looked at this stuff, I found this database to have some really good Java-specific coverage: <a href="http://www.fortifysoftware.com/vulncat/" rel="nofollow">http://www.fortifysoftware.com/vulncat/</a> Saad! Wow, its literally been like 10 years! Hope things find you well. :>

If Im reading your question right, then, no, we havent personally done much original research into the issues that tend to affect object oriented code in the sort of mobile threat environment. Those kinds of issues are definitely pretty cool, as they can get pretty creative, but I can only recall a couple of auditing projects off-hand where those kinds of language/run-time level security controls were ultimately relevant to the overall system security. That said, I didnt do a whole lot of embedded / cell phone software review, and didnt encounter Java applets or similar client-side code very much in my travels.

Im trying to think of situations where Im wrong, but all I can come up with is maybe QTJava, or maybe logic bugs related to the use of reflection based on user input in frameworks like struts.

Anyway, last time I looked at this stuff, I found this database to have some really good Java-specific coverage:

http://www.fortifysoftware.com/vulncat/

]]> by: saad r http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3419 Wed, 08 Aug 2007 01:50:00 +0000 http://taossa.com/index.php/2007/08/07/blackhat-usa-2007-2/#comment-3419 good stuff! have you ever considered security holes in object orientation in general? some examples from java would be overly extensible classes, classloader bootstrapping, etc. -s good stuff!

have you ever considered security holes in object orientation in general? some examples from java would be overly extensible classes, classloader bootstrapping, etc.

-s

]]>