[Cryptech Tech] CVE-2015-5291: remote heap corruption in ARM mbed TLS / PolarSSL

[Peter Stuge]

Rob Austein wrote:
> > And yet another option, maybe even preferable, is to skip all
> > dependencies outright and simply make a cryptech-specific
> > minimalistic abstraction for the controller hardware.
> > 
> > (No, for all you who have not done embedded work, that does not
> > mean having to write a whole operating system. :)
> 
> Um, between us, Paul and I have spent about twenty years in that
> space, much of it in an environment where all our code needed was a
> clock tick, a network driver (usually Ethernet) and a memory
> allocator.  So you're preaching to the choir there.

Full ack. I should have written "for those of you" - I know that
there's a mixed crowd.


> That said, we need to avoid getting sucked too far into the trap of
> reinventing every wheel.  We have limited budget and need to use it
> wisely, so if something off the shelf will serve our purposes and
> saves us time, we should at least consider using it.

Yes I completely agree. It just has to save time, and not cost time.


> > I don't think it would be very many lines of code per platform, and
> > would have the benefit of very easily supporting more architectures
> > than just one.
> 
> Maybe, maybe not.  That's why we're keeping our options open.

What periphery is being used so far?


//Peter