Inferensys

Glossary

Canonicalization

Canonicalization is the process of converting input data into a single, standard, unambiguous representation to prevent attackers from bypassing security filters using encoding tricks.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
INPUT NORMALIZATION DEFENSE

What is Canonicalization?

Canonicalization is a critical security process that converts data into a single, standard, unambiguous representation to prevent attackers from bypassing security filters using encoding tricks.

Canonicalization is the process of converting input data into a single, standard, unambiguous representation before it is processed by a security filter or machine learning model. This defensive technique prevents attackers from bypassing prompt injection defenses by using alternate encodings—such as URL encoding, Unicode homoglyphs, or zero-width characters—that appear different to a parser but resolve to the same malicious string.

In the context of LLM security, canonicalization is applied to user prompts before they are combined with system instructions. By resolving all characters to a base form and stripping invisible control sequences, the system ensures that a guard model or input sanitization filter evaluates the true semantic content of the input, closing a common evasion vector in the prompt injection kill chain.

DEFENSE IN DEPTH

Key Properties of Effective Canonicalization

Effective canonicalization is the bedrock of input validation. It eliminates the ambiguity that attackers exploit through encoding tricks, ensuring that security filters evaluate the true, intended meaning of data rather than a manipulated representation.

01

Idempotency

The canonicalization function must produce the same output regardless of how many times it is applied. Applying the function once must yield the same result as applying it ten times.

  • Property: f(x) = f(f(x))
  • Why it matters: Prevents attackers from using recursive encoding (e.g., double URL-encoding) to bypass a single-pass filter.
  • Example: If %2527 decodes to %27, a second pass decodes it to '. An idempotent function resolves it to ' in a single, atomic operation.
02

Lossless Normalization

The process must preserve the semantic meaning of the input while reducing it to its simplest form. No critical data should be destroyed during normalization.

  • Key distinction: Converting ../ to its canonical path is lossless for path resolution, but stripping it entirely is lossy and dangerous.
  • Example: Unicode normalization forms like NFC vs. NFD. Choosing the wrong form can break string comparisons, but the chosen form must consistently represent the same abstract characters.
03

Single Coherent Representation

The system must define and enforce one true representation for every data type. There can be no ambiguity about which form is the standard.

  • File paths: A single canonical form (e.g., absolute path with no trailing slashes or dot segments).
  • Unicode: A single normalization form (NFC or NFKC) enforced at the boundary.
  • JSON keys: A strict ordering and whitespace policy.
  • Why it matters: If admin and ADMIN are treated as distinct, an attacker can register ADMIN to impersonate the admin user.
04

Boundary Enforcement

Canonicalization must occur at the trust boundary—the exact point where data crosses from an untrusted zone to a trusted one. It is not a step to be deferred.

  • Rule: Convert to canonical form before validation, never after.
  • Anti-pattern: Validating a filename for path traversal characters, then later decoding it for storage.
  • Example: A web application firewall must canonicalize a request's URL and body before applying its rule set, otherwise an encoded attack like %2e%2e%2f passes through undetected.
05

Recursive Resolution

The algorithm must fully resolve all layers of encoding and nested representations until a raw, atomic form is reached. Partial resolution is a security vulnerability.

  • Process: Decode URL-encoding -> Decode HTML entities -> Normalize Unicode -> Resolve path traversal.
  • Attack vector: An attacker sends %253Cscript%253E. A single decode pass yields %3Cscript%3E, which is still benign to a naive filter. A second pass yields <script>. Recursive resolution catches this on the first pass.
06

Deterministic Output

Given the same input byte stream, the canonicalization function must always produce the exact same output, on every platform, in every environment.

  • No system call variance: Relying on the local file system's realpath() can yield different results on different OS kernels.
  • No locale dependence: String case-folding must use a locale-independent method (e.g., toUpperCase(Locale.ROOT) in Java) to avoid the 'Turkish I' problem.
  • Why it matters: A distributed system where different nodes canonicalize the same input differently creates a security gap that an attacker can exploit by targeting a specific node.
CANONICALIZATION DEEP DIVE

Frequently Asked Questions

Explore the critical defensive technique of canonicalization, which converts input into a single, unambiguous representation to neutralize encoding-based attacks that bypass security filters.

Canonicalization is the process of converting input data into a single, standard, unambiguous representation—its 'canonical' form—before any security validation or processing occurs. It works by applying a series of normalization rules to resolve syntactic variations. For example, a file path like C:\Windows\..\Windows\System32 is canonicalized to C:\Windows\System32 by resolving the parent directory traversal. In the context of prompt injection defense, canonicalization decodes multi-layered encoding tricks (like URL encoding, Unicode normalization, or HTML entities) to reveal the attacker's true payload. This ensures that a security filter sees the actual malicious string, not a cleverly obfuscated version designed to slip past pattern-matching rules.

INPUT PROCESSING COMPARISON

Canonicalization vs. Related Input Processing Techniques

A comparison of canonicalization with other input processing techniques used in prompt injection defense, highlighting their distinct roles in the security pipeline.

FeatureCanonicalizationInput SanitizationPrompt Normalization

Primary Objective

Convert input to a single, unambiguous representation

Remove or neutralize malicious control sequences

Rewrite prompts into a safe, canonical form before instruction combination

Defense Stage

Pre-processing (normalization layer)

Pre-processing (cleaning layer)

Pre-processing (restructuring layer)

Handles Encoding Tricks

Handles Homoglyph Attacks

Handles Zero-Width Characters

Preserves Semantic Intent

Output Format

Standardized byte/character sequence

Cleaned text with removed sequences

Restructured prompt text

Risk of Over-Normalization

High — may collapse distinct inputs

Medium — may strip benign content

Low — preserves meaning while restructuring

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.