Re: Script codes

From: David Jefferson <d_jefferson_at_yahoo_dot_com>
Date: Thu Jan 05 2006 - 21:15:24 CST

No--you are correct. I did not mean to suggest otherwise.

All I am saying is that the use of interpreted AccuBasic byte code on
the memory card is not related to any O-O programming methodology.
It is simply a design choice Diebold made for various reasons.

David

On Jan 5, 2006, at 7:49 PM, charlie strauss wrote:

>
>>
>> The data stored on Diebold removable memory cards is straight data,
>> not "objects" in the OO sense.
>
>
> David,
> The Hursti attack on the Diebold TSX that was reported by Bev
> Harris supposedly involved placing "accubasic" scripts on the
> removable memory cards. Are you telling me something different was
> done?
>
>
>
>
>>
>> The prohibition on interpreted code is in section 4.2.2 of the 2002
>> FEC standards.
>>
>> 4.2.2 Software Integrity
>> Self-modifying, dynamically loaded, or interpreted code is
>> prohibited, except under the
>> security provisions outlined in section 6.4.e. This prohibition is to
>> ensure that the
>> software tested and approved during the qualification process remains
>> unchanged and
>> retains its integrity. External modification of code during execution
>> shall be prohibited.
>> Where the development environment (programming language and
>> development tools)
>> includes the following features, the software shall provide controls
>> to prevent
>> accidental or deliberate attempts to replace executable code:
>> Unbounded arrays or strings (includes buffers used to move data);
>> Pointer variables; and
>> Dynamic memory allocation and management.
>>
>> David
>>
>>
>> On Jan 5, 2006, at 12:30 PM, charlie strauss wrote:
>>
>>> I'm sure you have seen the latest bulliten from Bev Harris, quoting
>>> Jim March.
>>> (personally I was a tad dissappointed she elevated the physical
>>> access and limited Eprom Attack to the same plateau as the general
>>> purpose Hursti attack on the diebold systems. It lowers the
>>> importance of the Hursti attack. But she does have a small point
>>> of sorts)
>>>
>>> In any case the Diebold attack was based on "interpreted" code
>>> being allowed on the vote cards. That's something I expect is
>>> becoming ubiquitous since object oreinted data storage lends itself
>>> to that.
>>>
>>>
>>> She has said interpreted code is not allowed (in the past pointing
>>> to other places it is found, like font files). Is this really
>>> true? Where is this prohibition.
>>>
>>> And how does that suit OVC which uses python (or accupol which uses
>>> Java). Is it just a limitation to specific places script codes can
>>> be found?
>>>
>>>
>>>
>>> _______________________________________________
>>> OVC-discuss mailing list
>>> OVC-discuss@listman.sonic.net
>>> http://lists.sonic.net/mailman/listinfo/ovc-discuss
>>
>
>
> _______________________________________________
> OVC-discuss mailing list
> OVC-discuss@listman.sonic.net
> http://lists.sonic.net/mailman/listinfo/ovc-discuss

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Mon Jan 8 20:24:38 2007

This archive was generated by hypermail 2.1.8 : Mon Jan 08 2007 - 20:24:39 CST