[20428] in bugtraq
Re: SECURITY.NNOV: The Bat! bug
daemon@ATHENA.MIT.EDU (William D. Colburn (aka Schlake))
Wed Apr 25 02:54:36 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010423231945.A25395@nmt.edu>
Date: Mon, 23 Apr 2001 23:19:46 -0600
Reply-To: "William D. Colburn (aka Schlake)" <wcolburn@NMT.EDU>
From: "William D. Colburn (aka Schlake)" <wcolburn@NMT.EDU>
X-To: Chris Thompson <chris@HYPOCRITE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.0.20010423143407.00ad4890@mail.powersurfr.com>; from
chris@HYPOCRITE.ORG on Mon, Apr 23, 2001 at 02:38:16PM -0600
On Mon, Apr 23, 2001 at 02:38:16PM -0600, Chris Thompson wrote:
> Programs should not crash or allow security violations when presented with
> unexpected input. So while the SMTP servers probably shouldn't be passing
> along these messages, nor should the email clients be crashing.
I like what RFC1123, Requirements for Internet Hosts -- Application and
Support, by R. Braden, Editor, October 1989, has to say about this:
1.2.2 Robustness Principle
At every layer of the protocols, there is a general rule whose
application can lead to enormous benefits in robustness and
interoperability:
"Be liberal in what you accept, and
conservative in what you send"
Software should be written to deal with every conceivable
error, no matter how unlikely; sooner or later a packet will
come in with that particular combination of errors and
attributes, and unless the software is prepared, chaos can
ensue. In general, it is best to assume that the network is
filled with malevolent entities that will send in packets
designed to have the worst possible effect. This assumption
will lead to suitable protective design, although the most
serious problems in the Internet have been caused by
unenvisaged mechanisms triggered by low-probability events;
mere human malice would never have taken so devious a course!
protocol specification that contains an enumeration of values
for a particular header field -- e.g., a type field, a port
number, or an error code; this enumeration must be assumed to
be incomplete. Thus, if a protocol specification defines four
possible error codes, the software must not break when a fifth
code shows up. An undefined code might be logged (see below),
but it must not cause a failure.
The second part of the principle is almost as important:
software on other hosts may contain deficiencies that make it
unwise to exploit legal but obscure protocol features. It is
unwise to stray far from the obvious and simple, lest untoward
effects result elsewhere. A corollary of this is "watch out
for misbehaving hosts"; host software should be prepared, not
just to survive other misbehaving hosts, but also to cooperate
to limit the amount of disruption such hosts can cause to the
shared communication facility.
--
William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
