Re: Script codes

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Thu Jan 05 2006 - 20:49:40 CST

>The data stored on Diebold removable memory cards is straight data,
>not "objects" in the OO sense.

The Hursti attack on the Diebold TSX that was reported by Bev Harris supposedly involved placing "accubasic" scripts on the removable memory cards. Are you telling me something different was done?

>The prohibition on interpreted code is in section 4.2.2 of the 2002
>FEC standards.
>4.2.2 Software Integrity
>Self-modifying, dynamically loaded, or interpreted code is
>prohibited, except under the
>security provisions outlined in section 6.4.e. This prohibition is to
>ensure that the
>software tested and approved during the qualification process remains
>unchanged and
>retains its integrity. External modification of code during execution
>shall be prohibited.
>Where the development environment (programming language and
>development tools)
>includes the following features, the software shall provide controls
>to prevent
>accidental or deliberate attempts to replace executable code:
> Unbounded arrays or strings (includes buffers used to move data);
> Pointer variables; and
> Dynamic memory allocation and management.
>On Jan 5, 2006, at 12:30 PM, charlie strauss wrote:
>> I'm sure you have seen the latest bulliten from Bev Harris, quoting
>> Jim March.
>> (personally I was a tad dissappointed she elevated the physical
>> access and limited Eprom Attack to the same plateau as the general
>> purpose Hursti attack on the diebold systems. It lowers the
>> importance of the Hursti attack. But she does have a small point
>> of sorts)
>> In any case the Diebold attack was based on "interpreted" code
>> being allowed on the vote cards. That's something I expect is
>> becoming ubiquitous since object oreinted data storage lends itself
>> to that.
>> She has said interpreted code is not allowed (in the past pointing
>> to other places it is found, like font files). Is this really
>> true? Where is this prohibition.
>> And how does that suit OVC which uses python (or accupol which uses
>> Java). Is it just a limitation to specific places script codes can
>> be found?
>> _______________________________________________
>> OVC-discuss mailing list

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon Jan 8 20:24:38 2007

This archive was generated by hypermail 2.1.8 : Mon Jan 08 2007 - 20:24:39 CST