oss-sec mailing list archives

Re: Thoughts on Shellshock and beyond

From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Wed, 15 Oct 2014 07:49:10 -0400

Buffer reuse is common in languages with memory safety (so that I/O

throughput is not bounded by garbage collector throughput).  The impact 
is reduced (you only leak prior buffer contents, whatever that might be, 
not anything which happens to be in the vicinity on the heap).  But I 
don't think it's true that memory safety prevents such information leaks

Heartbleed definitely would have been countered by memory-safe languages.  NIST even demonstrated that address 
sanitizer countered it, which is direct experimental proof.  More info at http://www.dwheeler.com/essays/heartbleed.html



--- David A.Wheeler

Current thread:

Re: Thoughts on Shellshock and beyond, (continued)
- - - Re: Thoughts on Shellshock and beyond Tim (Oct 08)
    - Re: Thoughts on Shellshock and beyond John Haxby (Oct 09)
    - Re: Thoughts on Shellshock and beyond Kobrin, Eric (Oct 09)
    - Re: Thoughts on Shellshock and beyond Stephane Chazelas (Oct 08)
    - Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)
    - Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 14)
  - Re: Thoughts on Shellshock and beyond Robert Watson (Oct 14)
  - Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 15)
    - Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 15)