[langsec-discuss] Fwd: ShellShock bug and langsec relation

Sergey Bratus sergey at cs.dartmouth.edu
Fri Sep 26 18:32:02 UTC 2014

On Fri, 26 Sep 2014, Jacob Torrey wrote:

> Comes down to the basics, not treating data as formally as we do code, and
> allowing the data to drive "weird machine" behavior. If Bash had a stricter
> parser for it's input, it wouldn't be an issue.

Very true. The LangSec implication of "any input is a program" is almost 
trivial here: input placed in environment variables was not just driving 
some state changes in the consuming software logic, but evaluated as shell 
commands, straight up!

As we are working on LangSec guidelines for code review, one item is very 
clear: identifying the parts of the target that directly receive inputs 
and interpret them. In the LangSec threat/attack model, input is the 
program and the input-handling code is the interpreter for that program; 
thus a general description of how the interpreter works is a good starting 
point. In many cases, the workings of the input-driven computation are 
relatively obscure and include memory corruption and other hallmarks of 
"weird machines", etc. In Shellshock case, that interpreter works exactly 
as it does in the intended computation case :)

Thank you,


Applying this

> On Fri, Sep 26, 2014 at 11:18 AM, Sashank Dara <krishna.sashank at gmail.com>
> wrote:
>> hi,
>> By now , some of you would have heard about the shellshock bug identified
>> and making circles.
>> below is the environment setting command that has a bug.
>> *" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"Source :
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>*
>> Now from langsec perspective , how do we explain this , anybody ?
>> Regards,
>> Sashank
>> http://lnkd.in/88sgfr
>> _______________________________________________
>> langsec-discuss mailing list
>> langsec-discuss at mail.langsec.org
>> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss

More information about the langsec-discuss mailing list