Non-Obvious Bugs by Example

May 26, 2011

Non-Obvious Bugs by Example

Over the years the identification and exploitation of high-level bugs has become more important. Especially cryptographic implementations can easily be affected by subtle bugs. This talk shows two examples of bugs in crypto related code: one in a message authentication code implementation and one in the use of a random number generator, showing the effects of improper use of otherwise good cryptographic primitives. For the theoretically inclined, a part of the talk will be include a bit of math. For the more practical people, the full exploitation of the bugs will be shown. Interestingly, the two vulnerabilities are in code parts that have already been subject to review - underlining that those bugs are easily overlooked.

I’ve presented this talk on: Check out: