Summary of 28c3: The Science of Insecurity

This is an AI generated summary. There may be inaccuracies.
Summarize another video · Purchase Premium

00:00:00 - 00:55:00

In this video, the presenter discusses the science of insecurity and how it can be used to design more secure systems. They discuss the concept of undecidability and how it can be exploited in order to create vulnerabilities. They also discuss the language hierarchy and how different languages can be used to parse input strings. Finally, they talk about the importance of reducing the power of computational entities in order to improve security.

  • 00:00:00 This talk is about the science of insecurity, which involves studying exploits and vulnerabilities in order to predict how they will behave. It is important to note that exploits are not simply bugs, but are instead a result of flawed design in protocols and message formats. By understanding how exploits work and how to design secure systems, we can avoid future security problems.
  • 00:05:00 The video discusses the failings of current security methods and how to improve them. It highlights the need for elegant, descriptive models of insecurity, and suggests that this can be achieved through the study of natural sciences.
  • 00:10:00 In this video, the presenter discusses the concept of undecidability and how it applies to security issues. They discuss the single component and distributed cases, and explain how input recognition can fail. They then go on to discuss how the halting problem arises in these cases, and how it can be exploited. Finally, the presenter discusses how input languages and weird machines are born, and how far said exploitation is setting up the machine.
  • 00:15:00 The video discusses the history of the halting problem and its connection to the famous mathematical paradox known as Russell's paradox. It also discusses ways of solving the problem, including the development of formal dualities.
  • 00:20:00 The video discusses the language hierarchy, which states that there are different types of languages, from the simplest, regular languages, to the more complex, context-sensitive languages, and to the Turing-complete, recursive languages. It also explains that, in order to match an input string to a language, we need to use a recognizer. If the recognizer doesn't actually match the language, the string is deemed to be broken and the program running on it is likely to be incorrect.
  • 00:25:00 The speaker talks about the importance of knowing the computational power needed to recognize a given language, and how it's important to reduce complexity across communication boundaries. They mention the halting problem, which reduces to the halting problem, and the context-free equivalence problem, which reduces to the Rice's theorem.
  • 00:30:00 The video discusses the science of insecurity, and suggests that deterministic pushdown automata are the easiest way to solve the halting problem. However, ambiguous context-free grammars are stronger and undecidable, meaning that protocols built using them are vulnerable to attack. A proposed solution is to be definite about what is accepted, and reduce the power of computational entities where possible.
  • 00:35:00 This video discusses how security can be compromised by Turing complete input languages, reduced computing power, and ambiguity. The video also provides examples of languages that use regular expressions to parse ATM messages.
  • 00:40:00 The video discusses the halting problem, two incomplete input languages, and the programming "weird machine problem." It also discusses how regular expressions can take exponential time to process. The presenter recommends the Parser Combinator Standard Library in Scala because it is similar to Java and there are many good tutorials on using Parser Combinator's.
  • 00:45:00 The video discusses the security implications of using length-delimited fields for data storage, and how context-sensitive languages can overcome the equivalence problem.
  • 00:50:00 The speaker discusses how to avoid security vulnerabilities in software by using proper compiler and input language choices. He explains that using a backtracking algorithm or including features like back weather events can help protect against plane waves. The speaker also addresses the trend of inventing proprietary protocols between JavaScript applications and browsers. He advises against using them, as they can lead to security vulnerabilities.
  • 00:55:00 In his 28c3 talk, "Performance vs. Security: A Red Herring?", Adam Back discusses the importance of considering performance when designing security protocols. He also discusses the importance of including length fields in protocol delimiters in order to improve performance. Finally, he demonstrates the importance of exposing computational equivalents in order to security protocols.

Copyright © 2024 Summarize, LLC. All rights reserved. · Terms of Service · Privacy Policy · As an Amazon Associate, earns from qualifying purchases.