Weekly Edition
Return to the Development pageRecent Features
| |||||||||||||
The Robustness Principle Reconsidered (CACM)
Eric Allman takes
another look at Postel's law ("be conservative in what you send,
liberal in what you accept") in the Communications of the ACM. "For
many years the Robustness Principle was accepted dogma, failing more when
it was ignored rather than when practiced. In recent years, however, that
principle has been challenged. This isn't because implementers have gotten
more stupid, but rather because the world has become more hostile. Two
general problem areas are impacted by the Robustness Principle: orderly
interoperability and security."
(Log in to post comments)
I disagree with his conclusion Posted Jul 27, 2011 18:08 UTC (Wed) by HelloWorld (guest, #56129) [Link] Towards the end of the article, he asserts thatbeing liberal in what you accept is part of what allows protocols to be extended.I disagree with this. Protocols should be designed with extensibility in mind. Most of the time, this is easy to do: just negotiate what version of the protocol to use as you establish a connection, or use a mechnism like X11 (or Wayland) protocol extensions. In other cases, it may not be as easy, but relying on the liberal interpretation of incoming data by older implementations seems like a rather poor migration path to me.
I disagree with his conclusion Posted Jul 27, 2011 18:22 UTC (Wed) by raven667 (subscriber, #5198) [Link]
Maybe for different kinds of protocols but it seems this method is used in software all the time for libraries and syscalls and such, defining a bunch of empty attributes when the interface is designed that can be filled in as needed later.
I disagree with his conclusion Posted Jul 28, 2011 13:12 UTC (Thu) by jch (guest, #51929) [Link]
> Most of the time, this is easy to do: just negotiate what version of the protocol to use as you establish a connection, or use a mechnism like X11 (or Wayland) protocol extensions.
In low-level networking, especially when intermediary routers don't have any per-flow or per-connection state, that seldom works.
The best known case is that of ECN. ECN uses two bits in the IP header that were previously defined as "Must Be Zero" (MBZ), meaning that they should be sent as 0 and ignored on reception. Unfortunately, a lot of so-called "security" software has chosen to drop all packets where MBZ bits are non-zero, or to reset the MBZ bits if they are set. Cue a decade of pain, and ECN is not even widely deployed yet.
https://dev.openwrt.org/ticket/3001
--jch
I disagree with his conclusion Posted Jul 28, 2011 14:47 UTC (Thu) by HelloWorld (guest, #56129) [Link]
> The best known case is that of ECN. ECN uses two bits in the IP header that were previously defined as "Must Be Zero" (MBZ), meaning that they should be sent as 0 and ignored on reception.
This is the kind of thing I had in mind when I said protocols should be designed for extensibility. The crux of the matter is that the specification must actually say that MBZ bits must be ignored even if they're not zero. In other words, if you want to rely on the robustness principle in order to provide an upgrade path to a newer revision of a standard, then the standard should specify which flags, fields etc. should be treated liberally and what "liberal" is supposed to mean in that context. It shouldn't just be a quality of implementation issue.
The Robustness Principle Reconsidered (CACM) Posted Jul 27, 2011 18:26 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
being 'liberal in what you accept' assumes that you properly handle whatever it is that you do accept.
if you do so, then it's not a direct security risk.
the only security 'risk' here is that by not rejecting slightly malformed data that you could safely accept, you won't reject connections from faulty programs (or people pretending to be programs). This isn't in itself a problem, but it means that you may not get advance notice that people are sending you 'odd' things.
The Robustness Principle Reconsidered (CACM) Posted Jul 27, 2011 18:53 UTC (Wed) by epa (subscriber, #39769) [Link]
You may properly handle it, but other software might not. So if you are processing a message to forward it somewhere else, being liberal might mean you expose a security hole in some other (perhaps more privileged) code.
A lot of the article is written from the point of view of sendmail and with the idea of not just receiving or generating messages, but also forwarding them. If you are an endpoint only, things are simpler.
The Robustness Principle Reconsidered (CACM) Posted Jul 27, 2011 19:12 UTC (Wed) by oblio (guest, #33465) [Link]
"
being 'liberal in what you accept' assumes that you properly handle whatever it is that you do accept.
if you do so, then it's not a direct security risk.
Security is all about "default deny". I think it's safe to say that from a security point of view it's just better to drop everything you don't understand/know instead of accepting everything thrown your way and trying to treat all the exceptions, i.e. "default allow".
The Robustness Principle Reconsidered (CACM) Posted Jul 27, 2011 23:13 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
> Security is all about "default deny". I think it's safe to say that from a security point of view it's just better to drop everything you don't understand/know instead of accepting everything thrown your way and trying to treat all the exceptions, i.e. "default allow".
you are slightly misunderstanding what I'm saying.
you don't just accept anything, but if you can figure out what is intended, accepting that and fixing it instead of rejecting it does not cause a security problem
accepting anything and only fixing 'known broken' things _does_ cause problems.
accepting what's right, plus other things that are wrong per the spec, but can be fixed does not cause the same problems
The Robustness Principle Reconsidered (CACM) Posted Jul 28, 2011 3:36 UTC (Thu) by oblio (guest, #33465) [Link]
Well, you are probably right, but I'd rather have my protocol not try to "figure out what is intended", since errors come in all shapes and sizes and it's probably better for a human to correct errors, and just have the protocol reject anything it doesn't understand.
Of course, when you're trying to promote/sell something, sometimes it's better to be lenient, it helps with adoption. Look at HTML - the bane of browser makers everywhere.
The Robustness Principle Reconsidered (CACM) Posted Jul 28, 2011 7:18 UTC (Thu) by gowen (guest, #23914) [Link] being liberal might mean you expose a security hole in some other (perhaps more privileged) code.We need only add another rule to prevent that. I was thinking something along the lines of "be conservative in what you send". Note that "send" is a superset of "forward".
The Robustness Principle Reconsidered (CACM) Posted Jul 27, 2011 19:49 UTC (Wed) by aaron (subscriber, #282) [Link]
"Be pedantic in what you accept,
and arbitrarily brutal in what you send" -- Malcolm Ray
The Robustness Principle Reconsidered (CACM) Posted Jul 27, 2011 21:23 UTC (Wed) by wahern (subscriber, #37304) [Link]
That's actually a decent approach if you're the first implementation out the door or have the most market share. If you're a closed source vendor it means you secure your ability to extend the protocol while forcing others to perpetually play catch-up. If you're a free software vendor it means you can prevent closed source vendors from embracing+extending+excluding.
The Robustness Principle Reconsidered (CACM) Posted Aug 1, 2011 14:05 UTC (Mon) by nix (subscriber, #2304) [Link]
And if you are chiark.greenend.org.uk it means you can feel superior when you bounce email from MS Exchange users and, well, virtually everyone else ;}
(amazingly it has been some years since SAUCE@chiark has bounced any email from me. I can only presume that I have done *something* right, but I have no idea what.
I wonder if anyone else is using SAUCE? It *is* official GNU software and everything.)
The Robustness Principle Reconsidered (CACM) Posted Aug 8, 2011 14:02 UTC (Mon) by stevem (subscriber, #1512) [Link]
*grin*
SAUCE has a habit of eating mail from certain people, even to the extent that nobody can work out why...
The Robustness Principle Reconsidered (CACM) Posted Jul 27, 2011 23:54 UTC (Wed) by PaulWay (✭ supporter ✭, #45600) [Link]
It seems to me that the problem here isn't the robustness principle per se, but that any flexibility comes at a cost. It's harder to write code that interprets variable-length headers versus fixed-length headers, for example. And it's also costly because that flexibility allows other people to complicate things.
The cost is incurred in those trying to obey the robustness principle. Those who assume that a reserved field can be used for their own principle aren't obeying it, but they're passing the likelihood of failure onto the people that obey it. As Eric says, reserved fields have been reused for proprietary vendors' own purposes, usually to exclude other implementations that don't make the assumptions (i.e. are more liberal) about that field's meaning. This is not the fault of the robustness principle per se, it's ultimately the fault of the abuser of the standard, even if they want to then hide behind it and say 'well, the standard doesn't say what that reserved field is for'.
Ultimately the process of setting these protocol standards and their implementation has to take place in the open. Trying to bastardise the standard for corporate gain may work in the short term but - crucially - it doesn't invalidate the original standard or the other implementations. Sometimes these abusive implementations gain some traction but rarely because of their changes to the standard per se - usually more because it's a large company foisting their adgerware on everyone else. The implementations that survive, ultimately, are the ones that are flexible and obey the robustness principle.
Have fun,
Paul
Specifications are important Posted Jul 28, 2011 16:50 UTC (Thu) by dskoll (subscriber, #1630) [Link] I think it's important for specifications to say exactly what conforming implementations must do with reserved fields. For example, saying "Bits 7 and 8 are reserved for future use" is no good. A spec should say "Bits 7 and 8 are reserved for future use and MUST be set to zero unless and until a future version of this protocol specifies otherwise." That way, implementations that don't zero the bits can legitimately be considered non-conforming. Additionally, protocols should have version numbers so that when a use for the reserved bits comes along, the version number is incremented. Implementations can then enforce the fact that the bits must be zero for versions < N_flagday.
Specifications are important Posted Jul 29, 2011 10:44 UTC (Fri) by paulj (subscriber, #341) [Link]
Actually, that informal kind of specification is part of the problem. I think protocol creators need to realise that what they're doing is creating a *language* and thus make use of the knowledge built-up elsewhere on formal language grammar specifications.
Specifications are important Posted Jul 29, 2011 13:56 UTC (Fri) by dskoll (subscriber, #1630) [Link] A formal specification language can help, but it's not the final answer. After all, computer programs themselves are written using languages with highly-specified formal languages, yet somehow lack a reputation for being bug-free. The real problem is people. They will game the system. So you have to design a system that's as hard to game as possible and that makes it patently obvious when someone is gaming the system. Reserved fields in protocols are a bad idea. It's better to use something like a tag-length-value system with concrete specifications about how to handle unknown tags. IPv6 has moved in that direction with the concept of a "Next-Header" field rather than IPv4's reserved bits.
Specification Bad, Test Suite Good Posted Jul 29, 2011 8:00 UTC (Fri) by elanthis (guest, #6227) [Link]
The _real_ problem is that too many people try to write up paper documents filled with prose and other vagueness in order to make sure everyone writes conforming software.
The correct thing to do is to develop a test suite. The specification exists to tell developers what direction to head in, but there should be a real "does it actually work the way we intended or doesn't it" test case that can be applied to any implementation.
In the real world, test cases are what the actual developers and engineers use. "Does it load in IE." "Does it boot Windows." "Does it play sound from the iPod." The difference is that these would-be tests are unofficial and may contain non-conforming behavior which then become de facto standards of their own. Not least of all because there were no official tests for those devices, so they all got developed by testing on random bits of existing software/hardware that were popular at the time.
An API or a hardware interface needs to have extensive and exhaustive implementations of both sides of the interface available to implementors. Anything else is just going to result in the mess that pretty much every well-known standard has gotten itself in.
It's worth noting then that the "Robustness Principle" kind of changes meaning. You should absolutely _not_ be liberal in what you accept; you should be conservative and accept only what the test suite forces you to accept. That test suite however should be testing to ensure that fields reserved for future use are ignored or passed through as desired.
Specification Bad, Test Suite Good Posted Jul 29, 2011 13:58 UTC (Fri) by dskoll (subscriber, #1630) [Link] I agree that a test suite is a very good idea, but as an add-on to a human-readable specification, not as a substitute. It's very hard to reverse-engineer a test suite into an implementation. It's much easier to develop an implementation based on a spec and then fix it until it passes the test suite (assuming the spec and the test suite don't actually have any areas of disagreement. :))
The Robustness Principle Reconsidered (CACM) Posted Aug 1, 2011 14:11 UTC (Mon) by magnus (subscriber, #34778) [Link]
Technically-minded people sometimes seem to forget that standards are not actually laws, and no matter how many times you write MUST and SHALL they are still just design aiding documentation. Therefore I think providing rationale and explanations for the spec points to avoid misunderstanding is much more important than pseudo-legal wording.
Free-software people and hobbyists usually follow standards very well voluntarily because it feels good to solve a problem correctly once and for all. You can not rely on this in a commercial setting, so standards need to be written with market pressures taken into account. The extra work and money required to meet the standard completely compared to just working today needs to be minimized, to zero preferably.
Ready-to-use free test suites and reference implementations can be extremely helpful in that regard. IIRC the USB standard had an interesting approach, where you are not allowed to carry the logo unless your hardware can pass the test suite. This creates another commercial incentive to meet the spec.
Rose's Corollary Posted Aug 1, 2011 16:55 UTC (Mon) by piggy (subscriber, #18693) [Link]
At the first SCTP interop, I learned about Marshall Rose's corollary to Postel's Law: At any interop you want at least one non-Postelian implementation.
We had such an implementation. It was ultra-strict in what it would accept. It uncovered a large number of issues with everybody's implementations (including the reference) and a few problems with the spec itself.
|
|||||||||||||