Firewall Wizards mailing list archives
Re: How automate firewall tests
From: Chuck Swiger <chuck () codefab com>
Date: Mon, 21 Aug 2006 16:55:49 -0700
On Aug 21, 2006, at 3:51 PM, Bill Royds wrote:
ASN.1 is a formal language to describe data structures for use of a number of protocols.
Agreed.
One would expect that protocols that use ASN.1 as their structure grammar should be quite secure.
How does this follow? I would expect that using ASN.1 would make it easier to validate whether a protocol statement is grammatical, and make it easier to write a sane LR(0,1) or LALR(1) parser for it, but that doesn't mean that J. Random Hacker isn't going to roll their own parser and maybe allocate a 1024-byte buffer which can be over-run regardless. Good specification != good implementation. This also says nothing about whether the protocol has paid any attention to security. Just because something parses, doesn't mean it makes sense or that the application should answer the query without considering whether the request is legit and properly authorized. In particular, people very rarely define security policies or access rules within the grammar of a protocol, with the notable exception of firewall ruleset languages like PF, IPFW, Cisco's IOS, etc....
But there have probably been more vulnerabilities in ASN.1 based protocols than any other. SO even a formal grammar is probably not good enough to define "correct" input.
What are you counting, here? :-) -- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: How automate firewall tests, (continued)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests Oliver Humpage (Aug 21)
- Re: How automate firewall tests Marcus J. Ranum (Aug 21)
- Re: How automate firewall tests Isaac Van Name (Aug 21)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 18)
- Re: How automate firewall tests Shahin Ansari (Aug 20)
- Re: How automate firewall tests Avishai Wool (Aug 22)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 21)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 21)
- Re: How automate firewall tests Bill Royds (Aug 21)
- Re: How automate firewall tests Chuck Swiger (Aug 21)
- Re: How automate firewall tests Bill Royds (Aug 22)
- Re: How automate firewall tests Bill Royds (Aug 21)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 21)
- Re: How automate firewall tests ArkanoiD (Aug 22)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 22)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 22)