[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Oct 2014 21:31:37 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: "David A. Wheeler" <dwheeler@...eeler.com>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Thoughts on Shellshock and beyond
Sure, agreed. I don't think the code / data catchphrase accurately
conveys this principle to developers, though =)
/mz
On Wed, Oct 8, 2014 at 9:03 PM, David A. Wheeler <dwheeler@...eeler.com> wrote:
> I would take a functional approach to this: is there a way an attacker could
> send data that would be misinterpreted as code? If so, could that harm
> anything?
>
> It is obviously much better if the communication does not use shared
> resources (like the environment). But this is all logical - in the end all
> of this is in the same memory. The goal is to maximize the separation enough
> so that attackers cannot misuse it. The better the separation, the less risk
> later.
>
>
> --- David A.Wheeler
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
