In the 60s, engineers working in a lab at Massachusettes General Hospital in Boston invented a programming environment for use in medical contexts. This is before C, before the Unix epoch, before the concept of an electronic medical records system even existed. But if you have medical records in the US, or if you've banked in the US, its likely that this language has touched your data. Since the 1960s, this language has been used in everything from EMRs to core banking to general database needs, and even is contained in apt to this day.
This is the Massachusettes General Hospital Utility Multi-Programming System. This is MUMPS.
This talk covers new research into common open-source MUMPS implementations, starting with an application that relies on MUMPS: the Department of Veterans Affairs' VistA EMR. We’ll cover a short history of VistA before diving into its guts and examining MUMPS, the language that VistA was written in. Then we'll talk about 30 memory bugs discovered while fuzzing open source MUMPS implementations before returning to VistA to cover critical vulnerabilities found in credential handling and login mechanisms. We'll close by taking a step back and asking questions about how we even got here in the first place, the right moves we made, and what we can do better.