RE: Principle of Inclusion?

From: George Milliken (gmillikenat_private)
Date: Tue Jun 26 2001 - 18:25:07 PDT

  • Next message: Ken Pfeil: "RE: CDSA-biometrics"

    Elias,
    
    How about the "Known State Principle", we only respond in 'known' ways to
    input, all other input id discarded.
    
    
    
    Regards,
    
    George Milliken, CEO
    farm9.com, Inc.
    --
    gmillikenat_private      24x7 Intrusion Prevention & Incident Response
    http://www.farm9.com     24x7 Log Consolidation & Managed IDS
    SOC : 510-835-3276 x253  cell: 510-913-8850     fax:  925-376-5907
        ==================================================
        SANS Network Security 2001 San Diego, CA  Oct 15-22
        ==================================================
    
    
    
    
    
    -----Original Message-----
    From: aleph1at_private [mailto:aleph1at_private]
    Sent: Tuesday, June 26, 2001 11:23 AM
    To: secprogat_private
    Subject: Principle of Inclusion?
    
    
      We have all heard the old security principle of not filtering out
    known bad input but filtering in known good input, but I've never heard
    it "named" like we name the "principle of least privilege". Do you know
    of any such name? I am thinking of simply christening the principle of
    inclusion.
    
      I am defining it as: The principle of inclusion tells us that when
    performing input validation for security purposes we should not
    define what is considered invalid input and refuse any
    input that matches this definition, since our definition of what
    is invalid may not be complete, and that instead we should define what
    is considered valid input and refuse any input that does not match
    this definition.
    
    --
    Elias Levy
    SecurityFocus.com
    http://www.securityfocus.com/
    Si vis pacem, para bellum
    



    This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 09:26:10 PDT