LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Robustness Principle Reconsidered (CACM)

The Robustness Principle Reconsidered (CACM)

Posted Jul 27, 2011 18:53 UTC (Wed) by epa (subscriber, #39769)
In reply to: The Robustness Principle Reconsidered (CACM) by dlang
Parent article: The Robustness Principle Reconsidered (CACM)

You may properly handle it, but other software might not. So if you are processing a message to forward it somewhere else, being liberal might mean you expose a security hole in some other (perhaps more privileged) code.

A lot of the article is written from the point of view of sendmail and with the idea of not just receiving or generating messages, but also forwarding them. If you are an endpoint only, things are simpler.

(Log in to post comments)

The Robustness Principle Reconsidered (CACM)

Posted Jul 27, 2011 19:12 UTC (Wed) by oblio (guest, #33465) [Link]

"
being 'liberal in what you accept' assumes that you properly handle whatever it is that you do accept.

if you do so, then it's not a direct security risk.
"

Security is all about "default deny". I think it's safe to say that from a security point of view it's just better to drop everything you don't understand/know instead of accepting everything thrown your way and trying to treat all the exceptions, i.e. "default allow".

The Robustness Principle Reconsidered (CACM)

Posted Jul 27, 2011 23:13 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]

> Security is all about "default deny". I think it's safe to say that from a security point of view it's just better to drop everything you don't understand/know instead of accepting everything thrown your way and trying to treat all the exceptions, i.e. "default allow".

you are slightly misunderstanding what I'm saying.

you don't just accept anything, but if you can figure out what is intended, accepting that and fixing it instead of rejecting it does not cause a security problem

accepting anything and only fixing 'known broken' things _does_ cause problems.

accepting what's right, plus other things that are wrong per the spec, but can be fixed does not cause the same problems

The Robustness Principle Reconsidered (CACM)

Posted Jul 28, 2011 3:36 UTC (Thu) by oblio (guest, #33465) [Link]

Well, you are probably right, but I'd rather have my protocol not try to "figure out what is intended", since errors come in all shapes and sizes and it's probably better for a human to correct errors, and just have the protocol reject anything it doesn't understand.

Of course, when you're trying to promote/sell something, sometimes it's better to be lenient, it helps with adoption. Look at HTML - the bane of browser makers everywhere.

The Robustness Principle Reconsidered (CACM)

Posted Jul 28, 2011 7:18 UTC (Thu) by gowen (guest, #23914) [Link]

being liberal might mean you expose a security hole in some other (perhaps more privileged) code.
We need only add another rule to prevent that. I was thinking something along the lines of "be conservative in what you send". Note that "send" is a superset of "forward".

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds