Postel’s Law and security, again
May 25, 2012  

I’ve previous written about how Postel’s Law inevitably leads to different implementations of standards, and therefore, security vulnerabilities. Here’s yet another example, from this week’s IEEE Symposium on Security and Privacy.

Abusing File Processing in Malware Detectors for Fun and Profit, by Suman Jana and Vitaly Shmatikov, describes a method of malware cloaking that works by modifying the metadata of a file so that antivuris software interprets it differently than client software.

So for example, you could take an exploit contained in a PDF document, and modify the header of the file so that it does not look like a proper PDF document; the antivirus software might think that it is mangled, or even another kind of document altogether, and therefore it does not detect the exploit. The client software, however, passes over the modifications and processes the file normally, thus triggering the exploit.

This is a direct consequence of Postel’s Law: two implementations are trying to work with a broken file format, and they interpret it liberally in different ways.