Bancroft Scott <[EMAIL PROTECTED]> writes: >Since February I and others in the ITU-T ASN.1 group have gone over the >ASN.1 and encoding rule standards with a fine tooth comb looking for >possible vulnerabilties, and we have come up with nothing. I was aware >that the President's Critical Infrastructure Protection Board was >investigating the threat to the U.S. and its allies posed by the newly >detected security vulnerabilities, so I contacted key members of the >Board to see if they were aware of any vulnerabilities in ASN.1 or BER. >They responded that they are aware of flawed implementations, but no >vulnerabilities in the ASN.1 or BER standards were found.
For several years now I've been using a stripped-down version of the dumpasn1 engine as a firewall for ASN.1 validity checking. Before being passed to my code (which is itself heavily checked to make sure it can't be exploited) all ASN.1-encoded data is passed by the firewall to make sure it doesn't contain anything questionable. If it would help, I can make this publicly available (the reason I haven't done so already is that I didn't think there'd be much demand for it). Peter.
