Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Oct 2014 21:31:37 -0700
From: Michal Zalewski <>
To: "David A. Wheeler" <>
Cc: oss-security <>
Subject: Re: Thoughts on Shellshock and beyond

Sure, agreed. I don't think the code / data catchphrase accurately
conveys this principle to developers, though =)


On Wed, Oct 8, 2014 at 9:03 PM, David A. Wheeler <> wrote:
> I would take a functional approach to this: is there a way an attacker could
> send data that would be misinterpreted as code? If so, could that harm
> anything?
> It is obviously much better if the communication does not use shared
> resources (like the environment). But this is all logical - in the end all
> of this is in the same memory. The goal is to maximize the separation enough
> so that attackers cannot misuse it. The better the separation, the less risk
> later.
> --- David A.Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.