From: "Randy Brukardt" <randy@rrsoftware.com>
Subject: Re: Web Development Using Ada?
Date: Mon, 5 Aug 2013 23:43:24 -0500
Date: 2013-08-05T23:43:24-05:00 [thread overview]
Message-ID: <ktputc$fih$1@loke.gir.dk> (raw)
In-Reply-To: op.w0w1zhgxule2fv@cardamome
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1437 bytes --]
"Yannick Duchêne (Hibou57)" <yannick_duchene@yahoo.fr> wrote in message
news:op.w0w1zhgxule2fv@cardamome...
Le Sun, 28 Jul 2013 05:03:51 +0200, Randy Brukardt <randy@rrsoftware.com>
a écrit:
>> OTOH, if you execute a shell, if an attacker can find a way to pass
>> information to that shell, they might be able to do anything. Apache has
>> fixed many such bugs. It's better if there are no shell outs. It's even
>> better if the capability to do shell outs isn't even in the code (since
>> some
>> attacks require executing existing code in unusual ways - if the process
>> doesn't have any code that can shell out, such attacks can't shell out
>> either).
>
>What's "shell out" in this context? A server or anything responding to a
>request, has no reasons to have any connexions to the shell.
Anything that requires executing another piece of code (for instance,
launching a Python interpreter to execute Python code). If one keeps the
entire server in Ada, then the capability of launching another program is
not even in the code, making attacks via return modification impossible (and
these are the attacks which get around techniques to prevent code injection,
such as DEP on Windows).
Randy.
--
"Syntactic sugar causes cancer of the semi-colons." [1]
"Structured Programming supports the law of the excluded muddle." [1]
[1]: Epigrams on Programming - Alan J. - P. Yale University
next prev parent reply other threads:[~2013-08-06 4:43 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-27 10:35 Web Development Using Ada? Aay Jay Chan
2013-07-27 12:49 ` Dmitry A. Kazakov
2013-07-27 15:49 ` Shark8
2013-07-27 16:26 ` Dmitry A. Kazakov
2013-07-27 17:19 ` Shark8
2013-07-27 17:26 ` Yannick Duchêne (Hibou57)
2013-07-27 19:05 ` Dmitry A. Kazakov
2013-07-27 17:11 ` Yannick Duchêne (Hibou57)
2013-07-27 17:19 ` Shark8
2013-07-27 17:57 ` Jeffrey Carter
2013-07-28 3:03 ` Randy Brukardt
2013-07-28 5:10 ` Yannick Duchêne (Hibou57)
2013-08-06 4:43 ` Randy Brukardt [this message]
2013-08-06 5:04 ` Paul Rubin
2013-08-06 19:06 ` Randy Brukardt
2013-07-28 9:30 ` Luke A. Guest
2013-07-31 8:30 ` Michael Erdmann
2013-07-31 10:15 ` Aay Jay Chan
2013-07-31 12:09 ` Michael Erdmann
2013-07-31 17:20 ` J-P. Rosen
2013-08-01 13:12 ` Jacob Sparre Andersen
2014-01-13 10:12 ` Marius Amado-Alves
2013-07-31 11:30 ` G.B.
2013-07-31 11:44 ` Yannick Duchêne (Hibou57)
2013-07-31 14:33 ` G.B.
2014-01-13 10:08 ` Marius Amado-Alves
2013-07-31 15:07 ` Pascal Obry
2013-07-31 18:53 ` Michael Erdmann
2013-07-31 21:03 ` Pascal Obry
2013-08-01 4:45 ` Michael Erdmann
2013-08-01 13:31 ` Jacob Sparre Andersen
2013-08-01 20:32 ` Michael Erdmann
2013-08-05 8:47 ` Jacob Sparre Andersen
2013-08-05 11:41 ` Thomas Løcke
2013-08-01 21:15 ` Maciej Sobczak
2013-08-02 17:24 ` Michael Erdmann
2013-08-02 20:54 ` Maciej Sobczak
2013-08-03 6:51 ` Michael Erdmann
2013-08-03 9:58 ` Pascal Obry
2013-08-03 14:50 ` Maciej Sobczak
2013-08-01 15:54 ` leonid.dulman
2014-01-09 9:31 ` arifhussain.33
2014-01-09 12:36 ` Jacob Sparre Andersen
2014-01-10 13:47 ` Mike H
2014-01-14 12:23 ` Vadim Godunko
2014-01-19 23:23 ` Joseph Montanez
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox