[
Lists Home |
Date Index |
Thread Index
]
I read with interest recent reports [1][2] concerning
vulnerabilities in some implementations of H.323.
According to Information Week [3], Paul Jones, who chairs the
ITU group that is responsible for the H.323 standard, said: some
implementations of the H.323 protocol "fail to perform proper checks
to ensure that messages are properly composed. These errors are
programming oversights, wherein a system does not check for reasonable
and proper message structures."
It sounds like Postel's Law was ignored here... Reading this
reminds me of one interpretation of Postel's Law that I haven't seen
emphasized enough in the discussion so far...
I believe that no matter how strict or liberal a system may be
in what input from another system it is willing to process or pass on,
it still must be very "liberal" in ensuring that it can accept a wide
range of invalid inputs without being damaged by those inputs. (Buffer
overflows, etc.) Thus, even the strictest, most conservative system
must first be "liberal" in accepting input before it can take the
opportunity to determine what it will reject, clean-up, or process as
received.
What I'm getting at here is that it may be appropriate to
speak of context when interpreting "Postel's Law." i.e. The closer
your code is to a system boundary, the more important it is that you
be "liberal" in being able to handle a very wide range of inputs
potentially malformed inputs. At system interfaces, Postel's Law may
be read as absolute. But, as you move away from an interface or
boundary, your application semantics begin to take over and Postel's
Law may be read as "Postel's Advice".
bob wyman
[1] http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
[2] http://www.cert.org/advisories/CA-2004-01.html
[3]
http://www.informationweek.com/story/showArticle.jhtml?articleID=17301
632
|