Back in 2005 I gave this presentation at Black Hat Japan:
http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-brezinski.pdf
This year a number of security researchers have done work on the topic and are making the rounds with their presentations.
Just a few days ago there was a big to do about security vulnerabilities in ruby. The primary vulnerabilities were integer overflows affecting memory allocations in Array and String. However, it was pointed out to ruby-core in early 2006 that integer overflow issues existed in Array and that the memory allocation macros used through out the interpreter code were subject to integer overflows:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/7818
Great to see the communities getting ahead of the curve :/
Subscribe to:
Post Comments (Atom)
2 comments:
To be fair, we discussed this off-list and I don't think anyone touched the full breadth of what I talked about-- or rather everyone talked about components, but no one put the entire picture together. Mark Dowd's flash stuff was probably the closest I've come across.
Also, I did the talk at eusec/ph on python.
jnf, my post was not meant to belittle the work being done by you and others in the security field, but rather it was meant for the core ruby community. When I brought up the security issues and the concept of full-disclosure in the ruby community, they marginalized me and the issues.
Now two years later these issues are being poorly addressed.
My presentation at Black Hat Japan was just a conceptual look at the subject of interpreter security. Now interpreted languages are the core of some very import stuff, so people are spending the time to really dig in and explore the subject across multiple languages. That is fantastic. I totally applaud and appreciate the work. I advocated then and now.
I only wish the communities supporting and developing the languages understood just how important security and security response process are. It sounds like the Python community has been much more responsive and receptive to your work. Now if ruby-core would just get a clue.
Post a Comment