oss-sec mailing list archives
Re: Thoughts on Shellshock and beyond
From: Sven Kieske <svenkieske () gmail com>
Date: Thu, 09 Oct 2014 01:09:19 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08.10.2014 23:53, Tracy Reed wrote:
While it is too late for our hardware etc. perhaps strong type systems such as found in Haskell can help here? It is known to be very good at avoiding undefined or unexpected runtime behavior. Too late also for current languages to have this bolted on but if anyone wanted to write "secure" software I'd be looking at languages which provide some more guarantees. Too late for bash also, of course which I suppose points us back at the original problem.
Well, for web frameworks, just take yesod (http://www.yesodweb.com/ written in haskell) as an example. to quote their site: "Turn runtime bugs into compile-time errors" I still think, this is the right direction, yes it's painful. But it's a real solution to a real (huge) fraction of the problem. Imho of course, please enlighten me with some counter arguments. Oh, here is one from myself: vendors are not liable, not even for the most serious software bugs. so there is no incentive for them to make better software. the software industry is afaik the only one which is not liable if they fuck their very own products up. do this if you're building skyscrapers, cars, medical equipment, anything, and you go to jail. the funny part is, these businesses do rely on software today, so if there's a bug, let's say in some construction software and no one notices, the skyscraper architect might get sued and go to jail, but not the programmer/vendor who wrote that shitty code. Software is too important to not have any rules in place. This was okay until the 90s (maybe), but not in the 21st century. regards Sven PS: fun fact, the only thing you _will_ get sued for are: software patents -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBAgAGBQJUNcQfAAoJEAq0kGAWDrqlKuQL/28ye2bJ8Ry9anTpfptPr8yL mSHDcQHnuKFJtVkg6bJJb0SQURJNM2djUYSUZoKCvYpyssE4B+vCgHXqN3Kf0ehz iv0Q3LPgSHAk7a+Yj+QR3uW7r+CvH7I4BI28+OYpOe5SOzSlcMG/Lulmez18mJ5K G7iOc0EB6RTT4EUrGrpAd9cSjgBgFupkvl1bgaL0UVkPqw3qpXBaWf3LULjQ60z8 qmcW9yihMSr3rT7LCtO3RYDgzFK3GSltTMYDe1jVzlbtYl6FJNZnSzssSV6OfhFG vqbmPxwtf3AXZrRTLMF+HXYr5YZiQa0jYo41E2h/tKBTNty7C5cw7PMmQVFPY9QR HfNBhWNj2fz8wLSPGcnFXw9Raz6616Z5gcaZVDwrbkWe7O8AOkiunJd91FRbnK1X V4bV/gOlfAVmOXegHdcWlUJYPNHQIHD3DU895A5OAGLuptipAvKiNagNahHonw+S SVoJvE5nrmPCoIjo3Z0ovLieSKa0+61G9cFu955fpQ== =/D4K -----END PGP SIGNATURE-----
Current thread:
- Re: Thoughts on Shellshock and beyond, (continued)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)
- Re: Thoughts on Shellshock and beyond Tracy Reed (Oct 09)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 09)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 09)
- Message not available
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 10)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 11)
- Message not available
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 12)
- Re: Thoughts on Shellshock and beyond John Haxby (Oct 12)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 14)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 09)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- liability (was: Re: Thoughts on Shellshock and beyond) Solar Designer (Oct 09)
- Re: liability dmc (Oct 09)
- Re: liability (was: Re: Thoughts on Shellshock and beyond) Źmicier Januszkiewicz (Oct 10)
- Re: Thoughts on Shellshock and beyond Tim (Oct 09)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 09)
- Message not available
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)