Hostile Environments
I use the term “hostile” to characterize an environment in which there are entities that are not necessarily trustworthy or trusted. The Internet is a hostile environment for a networked device; Earth is a hostile environment for a life form; whereas, one’s own home might not be considered hostile.
In a hostile environment, untrusted entities might use any of a number of strategies to gain, and then exploit, trust. Examples include trojan horses (software claimed, or claiming, to do one thing, when in fact it does something else, when run on a victim’s computer, that would not normally be desired by that victim) and false authorities (people who claim to have expertise or authority in order to obtain undue authority over others, extract resources from them, and so on).
Therefore, it is important to tag and validate input from any untrusted entities: tag it as being from an untrusted source (ideally, keep track of the source); and validate it prior to using it in any way that presumes it is in any way trustworthy.
In software systems, the flexibility of the underlying system can “collide” with the need to tag and validate input, with disastrous results when the failure to validate allows an untrusted entity to exploit the system’s underlying flexibility.
Some systems attempt to validate input in ways that make things worse:
- In SMTP-based email exchange, Challenge/Response systems are a cure that is worse than the disease.
- Cache explosion attacks can result from attackers exploiting how some systems validate input.
Examples of failures to tag and/or validate input from untrusted sources include:
- The “hypodermic needles in Pepsi soda cans” debacle. The “input” — the original claim that a needle was found in a freshly-opened can — was not sufficiently validated prior to being widely circulated. This apparently led to numerous people, not necessarily connected with each other in any way, learning of the claim and taking advantage of it by claiming to have “independently” verified it by finding a needle, or other similar item, in a can they bought.
- SMTP servers mishandling HELO/EHLO strings that might, for example, start with the Unix “pipe” character (a vertical bar).
- SQL injection attacks.
Generally, insufficiently typed languages, or systems, provide a wide variety of opportunities for untrusted data to be treated as if it was partially, or completely, trusted.