On 03/12/2015 10:25 PM, Keith Medcalf wrote:
Robustness is desirable from a security perspective. Failure to be liberal in what you accept and not being prepared to deal with malformed input leads to such wonders as the Microsoft bug that led to unexpected/malformed IP datagrams mishandled as "execute payload with system authority". Rather than sloppiness you could also attribute the error to malice -- that it was injected at the specific request of certain government agencies, perhaps under threat, perhaps with just a wink and a nod ...
"Being liberal in what you accept" and "being prepared to deal with malformed input" are two different concepts. Back when I was involved with protocol design on ARPAnet, what I was taught is that one has to be able to handle *correctly* malformed input, and not yield astonishing results. This is not easy, particularly in assembler language. Blowing buffer boundaries is just plain crap code. As for malice, I've never seen that. Not checking buffer boundaries, in my experience, is always stupidity or laziness. This is particular true when someone threw together a proof of concept quickly, then didn't go in and harden the code before releasing it to the world. (Some of that was born during the "interop" meetings, where groups of coders would assemble in a conference room and bang implementation together -- because it was done quickly, sometimes it was very sloppy.)