May 05, 2006
軟體多樣性對嵌入式系統的影響
傍晚讀了 Jim Higgins 的文章 [Diversity protects embedded systems],他以從事嵌入式網路裝置十年的經驗,探討廣泛應用的嵌入式裝置面臨安全性的高度挑戰,他提到一個有趣的現象:-
"90% of vulnerability exposure is caused by 10% of critical vulnerabilities. "
-
The lack of effective network security is no longer a blameless matter. The Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act of 1996 (HIPPA) have made corporate officers personally accountable for the security of their customers' private information. Exploitation of a vulnerability could lead to leaks of personal information and is a principle reason why the creation of a new corporate position, chief information security officer (CISO), has become prevalent. The CISO is looking to keep the CEO out of jail.
就 [CyptLib] 與 [OpenSSL] 來說,後者主要是針對 SSL/TLS protocol 的實做,而且相當完整,相關的 Crypto Algorithm 則是個別模組,相較之下,[CyptLib] 專注於 Crypto Algorithm 與相關標準的實做。但作為軟體,以發明 shortest path routing 的 Dijkstra 就表示過:
-
「測試可以證明臭蟲的存在,但卻無法證明它們的不存在。」
-
Embedded systems developers can mitigate the exploitation risk dramatically by considering "security through diversity" when selecting software components for their products. Diversity is particularly critical for embedded systems since their software components are generally more opaque to an IT professional than those of an ordinary server. Further, the methods for upgrading most embedded systems are nonstandard and can be time consuming for the IT staff. These factors may delay the deployment of critical patches and increase the risk that unknown vulnerabilities exist on the network.
由 jserv 發表於 May 5, 2006 08:07 PM
迴響
發表迴響