Several years ago, students at UMass Amherst discovered how to co-opt an automated software update mechanism to gain root access on a computer. The most significant security flaw involved a McAfee anti-virus product whereby an automatic, nightly update allowed the students to get root access on a Mac. Back then, the students wrote code manually.
Fast forward from 2006 to 2009. Now security researchers have reportedly created an automated tool to discover insecure software updates. There are likely a lot of vulnerable products out there, and it's not surprising that many small software houses forget to test whether the backdoor is kept locked: the software update.
Our original paper and video demonstration shows how to co-opt a software update mechanism built into an anti-virus product to gain root on a Mac. Fortunately, that particular bug has been reportedly patched. But what else remains unpatched?
Thursday, August 20, 2009
Refreshing comments about the importance of studying languages appeared in the Chronicle of Higher Education.
Thursday, July 16, 2009
A few cryptographers who work on homomorphic encryption chuckled at my description of wireless systems nearly absent of proper encryption yet supposedly secure as "homeopathic encryption." Alas, I appear to be just a few days shy of coining the faux term.
Saturday, July 11, 2009
Flattening by Yang, Cooprider, and Regehr is a clever C-to-C program transformation to reduce the amount of RAM used by the call stack. This technique may allow for embedded systems with extremely constrained energy to more effectively perform computation because of the relatively high energy cost for maintaining RAM. I wonder if Mementos could use flattening to improve energy-aware checkpoints of RAM in CRFIDs.
Sunday, February 01, 2009
Saturday, January 31, 2009
The NYTimes has an editorial on charges that the F.D.A has failed to adequately regulate medical devices. A harder task will be ensuring that medical devices maintain security and privacy.