Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Oct 2014 21:31:37 -0700
From: Michal Zalewski <>
To: "David A. Wheeler" <>
Cc: oss-security <>
Subject: Re: Thoughts on Shellshock and beyond

Sure, agreed. I don't think the code / data catchphrase accurately
conveys this principle to developers, though =)


On Wed, Oct 8, 2014 at 9:03 PM, David A. Wheeler <> wrote:
> I would take a functional approach to this: is there a way an attacker could
> send data that would be misinterpreted as code? If so, could that harm
> anything?
> It is obviously much better if the communication does not use shared
> resources (like the environment). But this is all logical - in the end all
> of this is in the same memory. The goal is to maximize the separation enough
> so that attackers cannot misuse it. The better the separation, the less risk
> later.
> --- David A.Wheeler

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ