Secure Coding mailing list archives
The Specifications of the Thing
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue, 12 Jun 2007 14:07:57 -0400 (EDT)
On Tue, 12 Jun 2007, Michael S Hines wrote:
So - aren't a lot of the Internet security issues errors or omissions in the IETF standards - leaving things unspecified which get implemented in different ways - some of which can be exploited due to implementation flaws (due to specification flaws)?
This happens a lot in interpretation conflicts [1] that occur in "intermediaries" - proxies, IDses, firewalls, etc. - where they have to interpret traffic/data according to how the end system is expected to treat that data. Incomplete specifications, or those that leave details for an implementation, will often result in end systems that have different behaviors based on the same input data. nmap's OS detection capability is an obvious example; Ptacek/Newsham's classic IDS evasion paper is another. Many of the anti-virus or spam bypass vulns being reported are of this flavor (although lately, researchers have realized that they don't always have to bother with interpretation conflicts when the products have obvious overflows). Non-standard implementations make the problem even worse, because then they're not even acting like they're expected to, as we often see in esoteric XSS variants. - Steve [1] "interpretation conflict" is my current term for http://cwe.mitre.org/data/definitions/436.html
Current thread:
- Harvard vs. von Neumann, (continued)
- Harvard vs. von Neumann der Mouse (Jun 10)
- Harvard vs. von Neumann Blue Boar (Jun 11)
- Harvard vs. von Neumann Crispin Cowan (Jun 10)
- Harvard vs. von Neumann David Crocker (Jun 11)
- Harvard vs. von Neumann der Mouse (Jun 11)
- Harvard vs. von Neumann David Crocker (Jun 11)
- Harvard vs. von Neumann Gary McGraw (Jun 11)
- Harvard vs. von Neumann ljknews (Jun 11)
- Harvard vs. von Neumann Crispin Cowan (Jun 11)
- The Specifications of the Thing Michael S Hines (Jun 12)
- The Specifications of the Thing Steven M. Christey (Jun 12)
- Harvard vs. von Neumann Steven M. Christey (Jun 12)
- Harvard vs. von Neumann Crispin Cowan (Jun 12)
- Harvard vs. von Neumann Blue Boar (Jun 12)
- Harvard vs. von Neumann Steven M. Christey (Jun 12)
- What's the next tech problem to be solved in software security? Kenneth Van Wyk (Jun 10)
- What's the next tech problem to be solved in softwaresecurity? McGovern, James F (HTSC, IT) (Jun 11)
- What's the next tech problem to be solved in softwaresecurity? Gary McGraw (Jun 11)