Date: Wed, 8 Oct 2014 21:31:37 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: "David A. Wheeler" <dwheeler@...eeler.com> Cc: oss-security <oss-security@...ts.openwall.com> Subject: Re: Thoughts on Shellshock and beyond Sure, agreed. I don't think the code / data catchphrase accurately conveys this principle to developers, though =) /mz On Wed, Oct 8, 2014 at 9:03 PM, David A. Wheeler <dwheeler@...eeler.com> wrote: > I would take a functional approach to this: is there a way an attacker could > send data that would be misinterpreted as code? If so, could that harm > anything? > > It is obviously much better if the communication does not use shared > resources (like the environment). But this is all logical - in the end all > of this is in the same memory. The goal is to maximize the separation enough > so that attackers cannot misuse it. The better the separation, the less risk > later. > > > --- David A.Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.