This article needs additional citations for verification. (July 2013) (Learn how and when to remove this template message)
In information security, transshipment is a technique for protecting software services and applications by ensuring they only receive data that they are known to be able to handle safely. The term is analogous to that in the logistics industry where cargo is offloaded from one means of transport and on to another at a port of entry. With transshipment, information is extracted from the data used to send it and then encoded as data that can be handled safely.
With transshipment, messages are intercepted and the business information they carry is extracted. This information is then encoded in a new message using a data format that the receiving application can safely handle.
For example, an email client may be known to handle messages with a simple structure without failure but not the full generality allowed by the standards. Transshipment can then be used to protect the mail client from attackers who can exploit weaknesses in its ability to handle the general case. The transshipment process extracts the business information in the email messages and creates a new message that conveys the same information but using simple structures. So the mail client is protected without knowing details of any weaknesses in its implementation.
The transshipment function must handle any and all data sent to it by potential attackers. To be useful the function must be implemented without it being vulnerable to attack. This can be achieved by using Guard technology that separates the implementation into three parts - a destination proxy that interacts with the message originator and extracts the business information from messages, a verifier and a source proxy that creates a new message to carry the business information and interacts with the message recipient. The verifier's role is to ensure that the source proxy is only presented with the business information using the simple data format it is expecting. As a result, the attack surface is limited to the verifier's interface and that part of the source proxy's interface which is visible through the verifier.