Application Security Community of Practice
Matching: whitepaper X
For my security concentration last semester I took an interesting course on the principles of Cryptography. My proffesor, Dr. Shouhuai Xu is a huge crypto enthusiast and has published many articles and papers on his experiments that I have found very interesting. This particular paper discusses memory disclosure attacks and how easy it is to aquire private keys from
allocated as well as unallocated space in memory. Cryptography is based on the assumption that the key should be kept secret and in this paper he explains how the "secret" keys of OpenSSH and Apache servers are easily compromised through data recovery in memory. Really cool stuff, a worthy read.
Cryptography has become an indispensable mechanism for securing systems, communications and applications. While offering strong protection, cryptography makes the assumption that cryptographic keys are kept absolutely secret. In general this assumption is very difficult to guarantee in real life because computers may be compromised relatively easily. In this paper we investigate a class of attacks, which exploit memory disclosure vulnerabilities to expose cryptographic keys. We demonstrate that the threat is real by formulating an attack that exposed the private key of an OpenSSH server within 1 minute, and exposed the private key of an Apache HTTP server within 5 minutes. We propose a set of techniques to address such attacks. Experimental results show that our techniques are efficient (i.e., imposing no
performance penalty) and effective — unless a large portion of allocated memory is disclosed.
Protecting Cryptographic Keys From Memory Disclosure Attacks
Darrel Rader 270002AASK Tags:  application-security security app-security-cop whitepaper 3,429 Views
New research reveals that C-level executives feel good data protection efforts support organizational goals such as compliance, reputation, management or customer trust, but there is a lack of confidence in the ability to safeguard sensitive information. Using research about data protection independently collected by the Ponemon Institute, sponsored by Ounce Labs, an IBM Company, this paper reveals the value of data protection. This study is at the forefront of helping to determine what senior executives think about the value proposition of corporate data protection efforts within their organizations.
Here is the URL for this bookmark: https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-rtl-ponemonrptus
Darrel Rader 270002AASK Tags:  whitepaper security app-security-cop appsec application-security 3,363 Views
During the 1980s, war dialing and phone phreaking attacksgarnered all the headlines. In the 1990s, it was all about Webdefacement and the ubiquitous e-mail virus. The last sevenyears have given rise to identity data theft and privacy con-cerns. For the past 20 years, organizations focused on protect-ing the network, but in the last 10 years, it has become clearthat the core threat is access to the network. The network isjust a means to an end. The threat has always been access tothe private data and the applications or business functions thatinteract with data. Private data and business applications aresusceptible to attacks and the most vulnerable during an attackto the enterprise network.
Here is the URL for this bookmark: ftp://public.dhe.ibm.com/common/ssi/sa/wh/n/raw14201usen/RAW14201USEN.PDF
Darrel Rader 270002AASK Tags:  tutorial article podcast news success-story app-security-cop workshop whitepaper webcast course application-security appsec demo announcement lesson-learned cop-news event presentation security 1 Comment 5,669 Views
This is a test blog entry. It has been tagged with multiple tags just to get our feeds started.