oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Thoughts on Shellshock and beyond

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 8 Oct 2014 21:31:37 -0700
Sure, agreed. I don't think the code / data catchphrase accurately
conveys this principle to developers, though =)

/mz

On Wed, Oct 8, 2014 at 9:03 PM, David A. Wheeler <dwheeler () dwheeler com> wrote:

I would take a functional approach to this: is there a way an attacker could
send data that would be misinterpreted as code? If so, could that harm
anything?

It is obviously much better if the communication does not use shared
resources (like the environment). But this is all logical - in the end all
of this is in the same memory. The goal is to maximize the separation enough
so that attackers cannot misuse it. The better the separation, the less risk
later.


--- David A.Wheeler
Previous By Date Next
Previous By Thread Next

Current thread: