[erlang-questions] Atom Unicode Support
Felix Gallo
felixgallo@REDACTED
Wed Feb 3 18:00:39 CET 2016
Oh for sure there's all sorts of hilarity in C. Doubtless in erlang, too.
But the existence of other attack vectors doesn't suggest that you should
ignore a new one.
It'd probably be a good idea, if this were to be implemented, if there were
some tooling or flags for the compiler to warn when unicode was used in a
potentially dangerous setting, so that people taking pull requests on
erlang code (or even just typing code wrong) could avoid some classes of
possible exploits.
On Wed, Feb 3, 2016 at 8:47 AM, Fred Hebert <mononcqc@REDACTED> wrote:
> On 02/03, Felix Gallo wrote:
>
>> There's also an interesting security issue around Unicode source code.
>>
>> Take for example the recent hack of Cryptsy, which involved a guy taking
>> what looked like an innocent and safe pull request to fix an issue in one
>> part of his software, but through the magic of the preprocessor, turned
>> out
>> to do something else entirely:
>>
>>
>> http://earlz.net/view/2016/01/16/0717/analyzing-the-56-million-exploit-and-cryptsys-security
>>
>
> My counter-argument to that is that you don't need any of that cool UTF
> stuff to do that.
>
> See:
>
> - http://www.underhanded-c.org/ underhanded C contest is all about
> writing regular looking C code doing nasty stuff
> -
> http://arstechnica.co.uk/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/
> juniper code was broken by someone adding in a password check that looked
> like a log line
> -
> http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/
> using a non-prime in crypto communication, possibly being a backdoor.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160203/0598ca70/attachment.htm>
More information about the erlang-questions
mailing list