Professional Documents
Culture Documents
Robustness
versus Malevolence
J on Postel’s Robustness Prin-
ciple—“Be conservative in
what you do, and liberal in what
design that helps avoid these mis-
takes and to “patch” the principle’s
common formulation to remove
Postel’s principle wasn’t meant to
be oblivious of security. For exam-
ple, consider the context in which
you accept from others”—played the potential weakness that these it appears in the IETF’s Request
a fundamental role in how Inter- mistakes represent. for Comments (RFC) 1122, Sec-
net protocols were designed and tion 1.2.2 “Robustness Principle”:3
implemented. Its influence went Robustness and
far beyond direct application by Internet Freedom At every layer of the protocols,
Internet Engineering Task Force Postel’s principle acquired deep there is a general rule whose
(IETF) designers, as generations of philosophical and political signifi- application can lead to enor-
programmers learned from exam- cance—discussed, for instance, mous benefits in robustness
ples of the protocols and server in Dan Geer’s groundbreaking and interoperability [IP:1]:
implementations it had shaped. essay “Vulnerable Compliance.”1
However, we argue that its mis- It created a world of programming “Be liberal in what you accept,
interpretations were also responsi- thought, intuition, and attitude and conservative in what you
ble for the proliferation of Internet that made the Internet what it is: send.”
insecurity. In particular, several a ubiquitous, generally interoper-
mistakes in interpreting Postel’s able system that enables the use of Software should be written to
principle lead to the opposite of communication technology to fur- deal with every conceivable
robustness—unmanageable inse- ther political freedoms. error, no matter how unlikely;
curity. These misinterpretations, Yet this world of revolutionary sooner or later a packet will
although frequent, are subtle, and forms of communication faces an come in with that particu-
recognizing them requires closely insecurity crisis that erodes users’ lar combination of errors and
examining fundamental concepts trust in its software and platforms. attributes, and unless the soft-
of computation and exploitation If users continue to see Internet ware is prepared, chaos can
(or equivalent intuitions). By dis- communication platforms as weak ensue. In general, it is best to
cussing them, we intend neither and vulnerable to push-button assume that the network is
an attack on the principle nor its attack tools that are easily acquired filled with malevolent enti-
deconstruction, any more than a by a repressive authority, they will ties that will send in packets
patch on a useful program intends eventually become unwilling to use designed to have the worst pos-
to slight the program. Our inten- these platforms for important tasks. sible effect. This assumption
tion is to present a view of protocol The world of free, private will lead to suitable protective
1540-7993/12/$31.00 © 2012 IEEE Copublished by the IEEE Computer and Reliability Societies March/April 2012 87
SECURE SYSTEMS
design, although the most seri- We then offer a “patch” that makes that each function (or basic block)
ous problems in the Internet this discouragement more explicit. that works with input data must first
have been caused by unenvis- check that the data is as expected;
aged mechanisms triggered by The Language- however, the context required to
low-
probability events; mere Theoretic Approach fully check the current data element
human malice would never At every layer of an Internet pro- is too rich to pass around. Program-
have taken so devious a course! tocol stack, implementations face mers are intimately familiar with
a recognition problem—they must this frustration: even though they
This formulation of the prin- recognize and accept valid or know they must validate the data,
ciple shows awareness of security expected inputs and reject mali- they can’t do so fully, wherever in
problems caused by lax input han- cious ones in a manner that doesn’t the code they look. When operat-
dling misunderstood as “liberal expose their recognition or process- ing with some data derived from
acceptance.” So, reading Postel’s ing logic to exploitation. We speak the inputs, programmers are left to
principle as encouraging imple- of valid or expected inputs to stress wonder how far back they should
menters to generally trust network that, in the name of robustness, go to determine if using the data as
inputs would be wrong. some inputs can be accepted rather is would lead to a memory corrup-
Note also the RFC’s statement than rejected without being valid tion, overflow, or hijacked computa-
that the principle should apply at or defined for a given implementa- tion. The context necessary to make
every network layer. Unfortunately, tion. However, they must be safe— this determination is often scattered
this crucial design insight is almost that is, not lead the current layer or or too far down the stack. Similarly,
universally ignored. Instead, imple- higher layers to perform a malicious during code review, code auditors
mentations of layered designs are computation or exploitation. often have difficulty ascertaining
dominated by implicit assumptions In previous research, we whether the data has been fully vali-
that layer boundaries serve as “fil- showed that, starting at certain dated and is safe to use at a given
ters” that pass only well-formed data message complexity levels, recog- code location.
conforming to expected abstrac- nizing the formal language—which Indeed, second-guessing devel-
tions. Such expectations can be so is made up by the totality of valid opers’ data safety assumptions that
pervasive that cross-layer vulner- or expected protocol messages or are unlikely to be matched by actual
abilities might persist unnoticed for formats—becomes undecidable. 5,6 ad hoc recognizer code (also called
decades. These layers of abstraction Such protocols can’t tell valid or input validation or sanity checking
become boundaries of competence.4 expected inputs from exploitative code) has been a fruitful exploi-
ones, and exploitation by crafted tation approach. This is because
Robustness and input is only a matter of exploit developers rarely implement full
the Language programming techniques.7 No recognition of input messages but
Recognition Problem 80/20 engineering solution for rather end up with an equivalent
Insecurity owing to input data han- such problems exists, any more of an underpowered automaton,
dling appears ubiquitous and is than you can solve the Halting which fails to enforce their expec-
commonly associated with message Problem by throwing in enough tations. A familiar but important
format complexity. Of course, com- programming or testing effort. example of this failure is trying to
plexity shouldn’t be decried lightly; For complex message languages match recursively nested struc-
progress in programming has pro- and formats that correspond to tures with regular expressions.
duced ever-more-complex machine context-sensitive languages, full “Liberal” parsing would seem
behaviors and thus more complex recognition, although decidable, to discourage a formal languages
data structures. But when do these requires implementing powerful approach, which prescribes gen-
structures become too complex, automata, equivalent to a Turing erating parsers from formal gram-
and how does message complexity machine with a finite tape. When mars and thus provides little
interact with Postel’s principle? input languages require this much leeway for liberalism. However,
The formal language-theoretic computational power, handling we argue that the entirety of Pos-
approach we outline here lets us them safely is difficult, because vari- tel’s principle actually favors this
quantify the interplay of complex- ous input data elements’ validity approach. Although the prin-
ity with Postel’s principle and draw can be established only by checking ciple doesn’t explicitly mention
a bright line beyond which message bits of context that might not be in input rejection—and would seem
complexity should be discouraged the checking code’s scope. Security- to discourage it—proper, pow-
by a strict reading of the principle. minded programmers un derstand erful rejection is crucial to safe
www.computer.org/security 89
SECURE SYSTEMS
message can be rejected thanks to incomplete. Thus, if a protocol So, by intuition or otherwise,
a control sum, if any. If such a sum specification defines four pos- this example of laudable tolerance
follows the erroneous length field, sible error codes, the software stays on the safe side of recog-
it might also be misidentified.4 must not break when a fifth nition, from a formal language-
Thus ambiguous input languages code shows up. An undefined theoretic perspective.
should be deemed dangerous and code might be logged … but it
excluded from Postel’s Robustness must not cause a failure. Other Views
Principle requirements. Postel’s principle has come under
This example operates with an recent scrutiny from several well-
Adaptability error code—a fixed-length field known authors. We already men-
versus Ambiguity that can be unambiguously rep- tioned Dan Geer’s insightful essay;
Postel’s principle postulates adapt- resented and parsed and doesn’t Eric Allman recently called for bal-
ability. As RFC 1122 states, 3 affect the interpretation of the rest ance and moderation in the prin-
of the message. That is, this exam- ciple’s application.9
Adaptability to change must be ple of “liberal” acceptance is lim- We agree, but posit that such
designed into all levels of Inter- ited to a language construct with balance can exist only for proto-
net host software. As a simple the best formal language proper- cols that moderate their messages’
example, consider a protocol ties. Indeed, fixed-length fields language complexity—and thus
specification that contains an make context-free or regular lan- the computational complexity and
enumeration of values for a guages; tolerating their undefined power demanded of their imple-
particular header field—e.g., values wouldn’t introduce context mentations. We further posit that
a type field, a port number, or sensitivity or necessitate another moderating said complexity is the
an error code; this enumera- computational power step-up for only way to create such balance. We
tion must be assumed to be the recognizer. believe that the culprit in the inse-
curity epidemic and the driver for
patching Postel’s principle isn’t the
modern Internet’s “hostility” per se
(noted as far back as RFC 11223),
but modern protocols’ excessive
computational power greed.
The issues that, according to
Allman, make interoperability
notoriously hard are precisely
those we point out as challenges
to the security of composed, com-
plex system designs.6 We agree
with much in Allman’s discus-
sion. In particular, we see his “dark
side” examples of “liberality taken
too far”9 as precisely the ad hoc
recognizer practices that we call
on implementers to eschew. His
examples of misplaced trust in
ostensibly internal (and therefore
assumed safe) data sources help
drive home one of the general les-
son we argue for: 5,6
Authentication is no substitu-
tion for recognition, and trust
in data should only be based
on recognition, not source
authentication.
www.computer.org/security 91