Re: Scan This Guy's E-Passport and Watch Your System Crash

[Florian Weimer <fw () deneb enyo de>]

> The answer, of course, is that it depends. ;-)

Yeah.

> When it comes to buffer overflows, I think the best course of action
> is to assume that an overflow error is always exploitable and just
> fix it.

If it's in managed code, and it's not a networked, multi-tasked code,
it should still be fairly safe.  "Don't do it, then" is often a
sufficient remedy.

OTOH, passport readers tend to be components of large, real-world
systems and processes, and repeated failures in some circumstances
might have interesting, exploitable side effects at a very high level.
(Think about disabling a burglar alarm by repeatedly triggering false
alarms.)

And let's not forget the PR angle--someone has certified that the
software does not contain such errors.  Who knows what else they have
missed.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.