oss-sec mailing list archives
Re: Thoughts on Shellshock and beyond
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 7 Oct 2014 08:39:26 -0700
So in short: you need to design and implement interfaces for every program which enforce explicit security boundaries. [...] I know this means re-implementing almost all code out there.
Well, that's the thing: ideas that sound good on paper are dime a dozen. Most of them have been tried, too: people have designed systems that fit Bell-LaPadula, created languages like Ada, reinvented the web to strictly isolate code & data and each site from each other, etc. Sometimes, efforts like this fail simply due to bad timing or bad luck; but most of the time, they just produce solutions that are unusable, unappealing, or otherwise difficult to work with. Usable and practical security is hard, and we don't really have all the answers there - we can barely scratch the surface today. /mz
Current thread:
- Thoughts on Shellshock and beyond Hanno Böck (Oct 07)
- Re: Thoughts on Shellshock and beyond Loganaden Velvindron (Oct 07)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 07)
- Re: Thoughts on Shellshock and beyond Hanno Böck (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
- Re: Thoughts on Shellshock and beyond Loganaden Velvindron (Oct 07)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 07)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond Tim (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 07)
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 07)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 07)
- Re: Thoughts on Shellshock and beyond John Haxby (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond Stephane Chazelas (Oct 08)
- Re: Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)