[Cryptech Tech] CVE-2015-5291: remote heap corruption in ARM mbed TLS / PolarSSL

[Rob Austein]

At Tue, 20 Oct 2015 06:25:22 +0200, Peter Stuge wrote:
> 
> Paul Selkirk wrote:
> > In fact, we may not even end up using mbed per se. I'm keeping an open
> > mind, but I'm leaning to Fredrik's model of using the underlying CMSIS
> > libraries directly.
> 
> And yet another option, maybe even preferable, is to skip all
> dependencies outright and simply make a cryptech-specific
> minimalistic abstraction for the controller hardware.
> 
> (No, for all you who have not done embedded work, that does not
> mean having to write a whole operating system. :)

Um, between us, Paul and I have spent about twenty years in that
space, much of it in an environment where all our code needed was a
clock tick, a network driver (usually Ethernet) and a memory
allocator.  So you're preaching to the choir there.

That said, we need to avoid getting sucked too far into the trap of
reinventing every wheel.  We have limited budget and need to use it
wisely, so if something off the shelf will serve our purposes and
saves us time, we should at least consider using it.

> I don't think it would be very many lines of code per platform, and
> would have the benefit of very easily supporting more architectures
> than just one.

Maybe, maybe not.  That's why we're keeping our options open.