Date: Wed, 08 Oct 2014 20:11:43 -0400 (EDT) From: "David A. Wheeler" <dwheeler@...eeler.com> To: "oss-security" <oss-security@...ts.openwall.com> Subject: Re: Thoughts on Shellshock and beyond On Wed, 8 Oct 2014 14:53:44 -0700, Tracy Reed <treed@...raviolet.org> wrote: > While it is too late for our hardware etc. perhaps strong type systems such as > found in Haskell can help here? No. At least not in the sense of totally separating data and code. It's trivial to implement a language (say Lisp) inside Haskell, and then hand data to that implementation to be executed. That does not make Haskell *bad*; you can implement an interpreter in any Turing-complete language. And it's absurd to say "NEVER mix data and code" - it's sometimes the right approach to use. But mixing code with data is probably an *overused* approach, given the risks that come with it. We need to help developers know what is safe, and what is less safe. Then they can avoid easily-avoided problems, and know when they have extra work to do. --- David A. Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ