Please note that republishing this article in full or in part is only allowed under the conditions described here.

The Semantic Gap

I'm currently involved in researching security problems and how perimeter firewalls might help mitigating them. During the research I've found several ways to evade existing IDS, firewalls and other security systems at the application level by using interpretation differences between the protecting and the protected system (i.e firewall and client). This Semantic Gap is caused by incomplete, unclear or contradicting specifications, or buggy or incomplete implementations which especially fail in rare use cases. Additionally in adherence to the famous robustness principle implementations usually accept various malformed data. But because there is no defined behavior different implementations handle bad data in a different way. Especially scary is that most systems which should protect the client against malware blindly assume that the malware is send in a standard conformant way, thus making evasion easy and stealth.

Evasions using the HTTP protocol

While HTTP looks like a simple standard just from looking at some examples one will find enough places where the standard is more flexible then needed or where one is able to specify inherently contradicting information using the protocol. In such cases implementations often differ and thus make bypassing the protecting system possible: Several commercial systems can be bypassed this way, as described in To check how your browser behaves and how good your perimeter firewall is able to protect against these and much more HTTP based evasions use HTTP evader.

Evasions by misusing MIME

Historically e-mails where only plain ASCII text. To get support for different character encodings and for attachments while still keeping compatibility to old systems the MIME standard was developed, which maps all these features back to plain ASCII text. To display a mail and to extract the attachments the mail has thus to be decoded. But unfortunatly the standard makes it possible to construct invalid MIME. Since these data can not be decoded in a clearly defined way the results differ between implementations, which again makes evasions possible: Again systems can be bypassed this way: