Artwork

A tartalmat a Maitt Saiwyer biztosítja. Az összes podcast-tartalmat, beleértve az epizódokat, grafikákat és podcast-leírásokat, közvetlenül a Maitt Saiwyer vagy a podcast platform partnere tölti fel és biztosítja. Ha úgy gondolja, hogy valaki az Ön engedélye nélkül használja fel a szerzői joggal védett művét, kövesse az itt leírt folyamatot https://hu.player.fm/legal.
Player FM - Podcast alkalmazás
Lépjen offline állapotba az Player FM alkalmazással!

Episode 13 - Why Bad Code, Not Broken Math, Is the Real Security Threat

36:15
 
Megosztás
 

Manage episode 513308562 series 3695172
A tartalmat a Maitt Saiwyer biztosítja. Az összes podcast-tartalmat, beleértve az epizódokat, grafikákat és podcast-leírásokat, közvetlenül a Maitt Saiwyer vagy a podcast platform partnere tölti fel és biztosítja. Ha úgy gondolja, hogy valaki az Ön engedélye nélkül használja fel a szerzői joggal védett művét, kövesse az itt leírt folyamatot https://hu.player.fm/legal.

This episode argues that the biggest threat to digital security is not broken cryptography math, but implementation flaws and bad code written by humans. The mathematical foundations of modern cryptography, such as RSA's reliance on factoring large numbers and AES's diffusion and confusion properties, are fundamentally strong and buy defenders time. However, this security is often undermined by implementation errors in the surrounding software, such as the classic buffer overflow vulnerability, which can redirect a program's execution flow by overwriting a return address on the stack. A more advanced and difficult-to-exploit class of flaw is the format string vulnerability, which allows an attacker to gain control by hijacking benign output functions like printf to write data to arbitrary memory addresses.

The prevalence of these flaws emphasizes that security is relative and must be assessed through a complete system analysis, rather than just by the strength of the core algorithm. This includes looking at all possible messages, as seen in chosen plaintext attacks (CPA) against public-key systems, where a limited message space can be exploited by building a dictionary of all possible ciphertexts. Additionally, flaws often persist in legacy code, such as the dangerous C function strcpy, which lacks boundary checks and allows unchecked data copying to corrupt memory. To combat this, modern secure design principles must be adopted, such as immutability in data structures to prevent state corruption, and minimizing the Trusted Computing Base (TCB)—the essential code enforcing security—to simplify verification and reduce the attack surface.

The most severe consequences occur when these flaws are weaponized by well-resourced adversaries, termed Advanced Persistent Threats (APTs). The Stuxnet cyber-physical weapon demonstrated this by using multiple zero-day exploits and immense resources to target specific industrial control systems, causing physical destruction to centrifuges while feeding false telemetry back to operators. Given this threat landscape, organizational leaders must shift their focus to proactive defenses and adopt an actuarial mindset to manage cyber risk by quantifying likelihood and business impact. The ultimate defense requires an integrated approach: secure mathematical algorithms, robust protocol design, secure software implementation, and objective risk management.

  continue reading

21 epizódok

Artwork
iconMegosztás
 
Manage episode 513308562 series 3695172
A tartalmat a Maitt Saiwyer biztosítja. Az összes podcast-tartalmat, beleértve az epizódokat, grafikákat és podcast-leírásokat, közvetlenül a Maitt Saiwyer vagy a podcast platform partnere tölti fel és biztosítja. Ha úgy gondolja, hogy valaki az Ön engedélye nélkül használja fel a szerzői joggal védett művét, kövesse az itt leírt folyamatot https://hu.player.fm/legal.

This episode argues that the biggest threat to digital security is not broken cryptography math, but implementation flaws and bad code written by humans. The mathematical foundations of modern cryptography, such as RSA's reliance on factoring large numbers and AES's diffusion and confusion properties, are fundamentally strong and buy defenders time. However, this security is often undermined by implementation errors in the surrounding software, such as the classic buffer overflow vulnerability, which can redirect a program's execution flow by overwriting a return address on the stack. A more advanced and difficult-to-exploit class of flaw is the format string vulnerability, which allows an attacker to gain control by hijacking benign output functions like printf to write data to arbitrary memory addresses.

The prevalence of these flaws emphasizes that security is relative and must be assessed through a complete system analysis, rather than just by the strength of the core algorithm. This includes looking at all possible messages, as seen in chosen plaintext attacks (CPA) against public-key systems, where a limited message space can be exploited by building a dictionary of all possible ciphertexts. Additionally, flaws often persist in legacy code, such as the dangerous C function strcpy, which lacks boundary checks and allows unchecked data copying to corrupt memory. To combat this, modern secure design principles must be adopted, such as immutability in data structures to prevent state corruption, and minimizing the Trusted Computing Base (TCB)—the essential code enforcing security—to simplify verification and reduce the attack surface.

The most severe consequences occur when these flaws are weaponized by well-resourced adversaries, termed Advanced Persistent Threats (APTs). The Stuxnet cyber-physical weapon demonstrated this by using multiple zero-day exploits and immense resources to target specific industrial control systems, causing physical destruction to centrifuges while feeding false telemetry back to operators. Given this threat landscape, organizational leaders must shift their focus to proactive defenses and adopt an actuarial mindset to manage cyber risk by quantifying likelihood and business impact. The ultimate defense requires an integrated approach: secure mathematical algorithms, robust protocol design, secure software implementation, and objective risk management.

  continue reading

21 epizódok

Minden epizód

×
 
Loading …

Üdvözlünk a Player FM-nél!

A Player FM lejátszó az internetet böngészi a kiváló minőségű podcastok után, hogy ön élvezhesse azokat. Ez a legjobb podcast-alkalmazás, Androidon, iPhone-on és a weben is működik. Jelentkezzen be az feliratkozások szinkronizálásához az eszközök között.

 

Gyors referencia kézikönyv

Hallgassa ezt a műsort, miközben felfedezi
Lejátszás