Hello,
Tomorrow I will release a new pcsc. It is version 0.6.5 it will have
alot of fixes including:
Coding practices: initialized vars, proper pointer mgmt, buffer zeroing
so that temp APDU buffers don't disclose any secret information. Removed
dangerous references to pointers for ID. Used randomization for contexts
to make context stealing more difficult.
Security issues: ability to restrict local host only.
Disconnect: Reset on disconnect if last context.
Some Attack Defenses:
If the server spawns 16 threads it logs the remote host and denies any
more spawns. It also will not accept more than 16 simultaneous
connections. If 16 are made then the server sleeps for 1 second before
looking for requests and cleans up any zombies. Basically it lets the OS
take the attack and ignores it.
Security in place: I have put in place a framework for encrypting APDU's
and hashing them so that they are never in plain text.
I will be adding SCardReconnect early next week - I don't have my MSDN CD
on me now. I will be adding config file support for all this.
Currently, I'm in San Jose at the Apple Dev Conference. If any of you are
here and want to talk give me a call: 765-427-5147. Most of the time I am
in the hotel coding.......
I won't be checking my email very often since it is expensive and I
have no money so if you have any suggestions please call me.
Regards,
Dave
*************************************************************
David Corcoran Internet Security/Smartcards
Home: Purdue University
1008 Cherry Lane Department of Computer Science
West Lafayette, IN 47906
Home: (765) 463-0096
Cell: (317) 514-4797
http://www.linuxnet.com
*************************************************************
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************
