Date: Wed, 8 Oct 2014 21:31:37 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: "David A. Wheeler" <dwheeler@...eeler.com> Cc: oss-security <oss-security@...ts.openwall.com> Subject: Re: Thoughts on Shellshock and beyond Sure, agreed. I don't think the code / data catchphrase accurately conveys this principle to developers, though =) /mz On Wed, Oct 8, 2014 at 9:03 PM, David A. Wheeler <dwheeler@...eeler.com> wrote: > I would take a functional approach to this: is there a way an attacker could > send data that would be misinterpreted as code? If so, could that harm > anything? > > It is obviously much better if the communication does not use shared > resources (like the environment). But this is all logical - in the end all > of this is in the same memory. The goal is to maximize the separation enough > so that attackers cannot misuse it. The better the separation, the less risk > later. > > > --- David A.Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ