back to article Guilt by ASN: Compiler's bad memory bug could sting mobes, cell towers

A vulnerability in a widely used ASN.1 compiler isn't a good thing: it means a bunch of downstream systems – potentially mobile phones and cell towers – will inherit the bug. And an ASN.1 bug is what the Sadosky Foundation in Argentina has turned up, in Objective Systems' software. The research group's Lucas Molas says …

  1. This post has been deleted by its author

    1. bazza Silver badge

      Re: wow

      Hmm, I'm not sure that selection of Objective System's tools would count as going with the lowest bidder. Choosing one of the crummy toolsets for ASN.1 would be that.

      Looking at the advisory reveals that the bug affects their C/C++ toolset. That'll be the one in mobile phones, etc. I've used that one quite extensively too, though not with my current employer, but generally found the experience to be good. I hope former chums are keeping their eyes peeled...

      And whilst the advisory explores the behaviour of the code on Windows, that runtime compiles up from a common source code base for every platform. So the bug will likely be present on anything that uses C/C++. That area of the runtime is also very ancient now, so I expect it's affects far more than this single version of the code.

      The one good thing is that that toolset has been very stable for a long time, In theory fixing affected products is simply a case of upgrading and recompiling. I'm not anticipating any remedial coding work being required by developers who have used it.

      ASN.1 remains one of the most useful old technologies out there. It leaves Google Protocol Buffers standing (in fact GPB are slowly adopting most of the useful features found in ASN.1). The only other serialisation technologies that are roughly comparable are XSD (XML schemas) and JSON schemas. Why? These three are the only ones where it is possible to define size and value constraints on message fields.

      If used, size and value constraints allow one to automatically defend oneself against buffer overruns, etc. Ironic, isn't it?

      (ps. I don't work and haven't worked for Objective Systems).

      1. asdf

        Re: wow

        well said I stand corrected. My guess we have had very buggy software around us (at least last two decades) and yes complexity is increasing (so bugs probably are too) but probably the main thing that changed is we have more people using better techniques looking for security holes for a living now.

  2. Christian Berger

    This wouldn't be much of an issue...

    if "smartphone" vendors wouldn't allow the GSM baseband access to the RAM of the application processor. Or if GSM cards for PCs wouldn't be connected via PCI or USB.

    (Yes I know, this doesn't affect GSM as such, but I'm using GSM as a general name for mobile communications networks. GSM doesn't use ASN.1)

    1. Anonymous Coward
      Anonymous Coward

      Re: This wouldn't be much of an issue...

      ASN.1 is used throughout industry, not just the mobile space. (Bad decoders have been exploited elsewhere.)

      1. Christian Berger

        Re: This wouldn't be much of an issue...

        Yes, but seriously in many situations you just hand craft your code for the few messages you need to decode. Unless of course you are in a area where you can afford to license such a compiler and need to parse many of those messages.

    2. yaronf

      Re: This wouldn't be much of an issue...

      But of course ASN.1 is used in GSM. It is used in old wireline telephony (ISUP and INAP), and GSM inherits much of that.

  3. Anonymous Coward
    Anonymous Coward

    That DER is not good

    BER with me today.

    1. Synonymous Howard

      Re: That DER is not good

      I CER what you did there.

  4. oldcoder

    And yet - ASN.1 "compilers" exist. It IS a language.

    1. Anonymous Coward
      Anonymous Coward

      Well, technically it is a schema: http://www.itu.int/en/ITU-T/asn1/Pages/introduction.aspx

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon