What is the Shannon Communication Model and how does it relate to interface security?
Shannon's 1948 model is Sender → Encode → Channel → Decode → Receiver; for a correct interface, decoding must undo encoding, i.e. Dec(Enc(M)) = M.
* Shannon's source-encode-channel-decode-sink model — a faithful round-trip versus the mismatch where injection lives. *
The model is borrowed from communication theory but maps cleanly onto any interface: your data M gets serialized (encoded), travels a channel, then gets parsed (decoded). Security depends on that round-trip being faithful — if the parser reconstructs something other than what the sender meant, the gap is exactly where injection attacks live:
Model:
Sender --> Message M --> Enc(M) --> [Channel] --> Enc(M) --> Dec(Enc(M)) --> Receiver
Security relevance:
- The encoding/decoding must be consistent
- Both parties must use compatible Enc/Dec functions
- If Dec(Enc(M)) != M, there's a problem!
Interface analogy:
| Shannon Element | Interface Equivalent | Security Concern |
|---|---|---|
| Message M | User input data | Can be crafted maliciously |
| Encoding Enc(M) | Serialization/formatting | May transform data unexpectedly |
| Channel | Network/Interface | Can be intercepted or modified |
| Decoding Dec(Enc(M)) | Parsing/interpretation | May interpret data differently than intended |
Concrete example — SQL Injection:
- M =
O'Brien(user's name) - Enc(M) =
"INSERT INTO users VALUES('O'Brien')"(naive string concat) - Dec(Enc(M)) = SQL parser sees
OthenBrienas SQL code → Dec(Enc(M)) ≠ M!
Go deeper:
Shannon–Weaver model (Wikipedia) — the 1948 source→transmitter→channel→receiver model mapped onto encode/decode.