Monday, August 24, 2009

Security of Automatic Software Updates

Several years ago, students at UMass Amherst discovered how to co-opt an automated software update mechanism to gain root access on a computer. The most significant security flaw involved a McAfee anti-virus product whereby an automatic, nightly update allowed the students to get root access on a Mac. Back then, the students wrote code manually.

Fast forward from 2006 to 2009. Now security researchers have reportedly created an automated tool to discover insecure software updates. There are likely a lot of vulnerable products out there, and it's not surprising that many small software houses forget to test whether the backdoor is kept locked: the software update.

Our original paper and video demonstration shows how to co-opt a software update mechanism built into an anti-virus product to gain root on a Mac. Fortunately, that particular bug has been reportedly patched. But what else remains unpatched?

Thursday, August 20, 2009

Thursday, July 16, 2009

Homeopathic Encryption

A few cryptographers who work on homomorphic encryption chuckled at my description of wireless systems nearly absent of proper encryption yet supposedly secure as "homeopathic encryption." Alas, I appear to be just a few days shy of coining the faux term.

Unit-fied Theory of Numbers

I'm not sure why United numbers its calendar in this unusual order.

Saturday, July 11, 2009

Go To Statement Considered Beneficial

Flattening by Yang, Cooprider, and Regehr is a clever C-to-C program transformation to reduce the amount of RAM used by the call stack. This technique may allow for embedded systems with extremely constrained energy to more effectively perform computation because of the relatively high energy cost for maintaining RAM. I wonder if Mementos could use flattening to improve energy-aware checkpoints of RAM in CRFIDs.

Sunday, February 01, 2009


Ok, thanks. Submitting a letter of recommendation is harder than I thought.

Wednesday, January 14, 2009