oss-sec mailing list archives

Re: Thoughts on Shellshock and beyond

From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Tue, 07 Oct 2014 07:59:05 -0400

* Heartbleed is an out of bounds memory read. Well understood and yes,

  it should be possible to implement mitigations against these kinds of
  things.

It is not only possible, I have already posted a list of ways to find Heartbleed:
http://www.dwheeler.com/essays/heartbleed.html

I think identifying specific ways to counter classes of vulnerabilities is really important.

What class of bug is Shellshock? "Weird feature invented in

  pre-Internet era"? How do you conquer this class of bugs?

I am still struggling with this one.  I am trying to create that list here:
http://www.dwheeler.com/essays/shellshock.html#detect-or-prevent

But to be honest, that list is pretty pathetic. This is a challenging class of vulnerability to detect or prevent ahead 
of time. Ideas would be very welcome.

--- David A.Wheeler

Current thread:

Thoughts on Shellshock and beyond Hanno Böck (Oct 07)
- Re: Thoughts on Shellshock and beyond Loganaden Velvindron (Oct 07)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 07)
- Re: Thoughts on Shellshock and beyond Hanno Böck (Oct 07)
  - Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
    - Re: Thoughts on Shellshock and beyond Loganaden Velvindron (Oct 07)
    - Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 07)
    - Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
    - Re: Thoughts on Shellshock and beyond Tim (Oct 07)
  - Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 07)
  - Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 07)
    - Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
    - Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 07)
    - Re: Thoughts on Shellshock and beyond John Haxby (Oct 07)
    - Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)

(Thread continues...)