The idea of putting an ASN.1 filter into a fire-wall has been raised earlier (following the publicity of hte OULU vulnerabilities) as a useful contribution to robustness of sensitive ASN.1-based applications.
It is good to find that it has already been done! I am sure that it would be much appreciated if your work were put into the public domain, and was more widely disseminated and integrated into fire-wall packages. John L Peter Gutmann wrote: > > Bancroft Scott <[EMAIL PROTECTED]> writes: > > >Since February I and others in the ITU-T ASN.1 group have gone over the > >ASN.1 and encoding rule standards with a fine tooth comb looking for > >possible vulnerabilties, and we have come up with nothing. I was aware > >that the President's Critical Infrastructure Protection Board was > >investigating the threat to the U.S. and its allies posed by the newly > >detected security vulnerabilities, so I contacted key members of the > >Board to see if they were aware of any vulnerabilities in ASN.1 or BER. > >They responded that they are aware of flawed implementations, but no > >vulnerabilities in the ASN.1 or BER standards were found. > > For several years now I've been using a stripped-down version of the > dumpasn1 engine as a firewall for ASN.1 validity checking. Before > being passed to my code (which is itself heavily checked to make sure > it can't be exploited) all ASN.1-encoded data is passed by the firewall > to make sure it doesn't contain anything questionable. If it would > help, I can make this publicly available (the reason I haven't done so > already is that I didn't think there'd be much demand for it). > > Peter. -- Prof John Larmouth Larmouth T&PDS Ltd (Training and Protocol Development Services) 1 Blueberry Road Bowdon [EMAIL PROTECTED] Cheshire WA14 3LS Tel: +44 161 928 1605 England Fax: +44 161 928 8069
