Re: [Cellar] Security considerations: recursive elements
Steve Lhomme <slhomme@matroska.org> Sun, 21 January 2018 17:15 UTC
Return-Path: <slhomme@matroska.org>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC63D129C6B for <cellar@ietfa.amsl.com>; Sun, 21 Jan 2018 09:15:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=matroska-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XLWn_VjdIOcV for <cellar@ietfa.amsl.com>; Sun, 21 Jan 2018 09:15:37 -0800 (PST)
Received: from mail-pg0-x229.google.com (mail-pg0-x229.google.com [IPv6:2607:f8b0:400e:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5A4E12773A for <cellar@ietf.org>; Sun, 21 Jan 2018 09:15:37 -0800 (PST)
Received: by mail-pg0-x229.google.com with SMTP id s9so5219177pgq.13 for <cellar@ietf.org>; Sun, 21 Jan 2018 09:15:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matroska-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=vRlnJ57y+k2OHLW77mFssx5pX0os7rDIrk+fBmu/8Oc=; b=yy/FFIehazGycj/Sndo54ku0EUezF+86h5k7G5/sH2kJ3GuhOkAbdafwzdK0kGD2SO erxk9XGPATc9Z1LcWlgPj9OyQLOwHpWhNAVYziGoHPTMrrNOlwKblI1Usyigj1YeDzav c+AQRUa0M0cKpg6df4hvJuOoPt7XVjxpiFBN2IwiVZ2P8/2WATpKRWfeE02XVcQfnFSA GnHG1cqmqaCFZprk+MGrwyF7g3Cld/zvTmNfHsaMZeCcFr+Mu1hySfeSoB2lOkgVClPR /QIpQoeeYJ3BWudPtRdXU/MM9tIu/J5cmztP0Bb0YLHdGMQQMqfOfyXTLmb6Al8pXr2Y Gq1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=vRlnJ57y+k2OHLW77mFssx5pX0os7rDIrk+fBmu/8Oc=; b=Ydiv5kgQS8MPRbqKodzH6OxnZrCG2AeYu3erbWVmtgsfLxTCGXGr7bWdMk1Ysl8ETa a9GKVRxTSE6RmJLXqALQmS5zGzEa1MLpRFD2POLPRbN6THpL77+xY0WtwEhrGVuye63M 5a9SbT52k8UCZB/kz/7Aum1FG/6GuTrEdH9cv3MgLAgtu2K1gJmMLDgG+iji514iNJ55 Yk6IqCgQ4aCDIHIx13ixGToi5ViM1h5iAngNCXfWeZyowG8b4t0AGy8PVScOYw0S30jt UrzjdNqqhHjLsudC1/05JW6Wcxzx8AH1kWIe1lktjuMGuiq7h39LmdpKT1bnaOAVuXqp RA0Q==
X-Gm-Message-State: AKwxytfqySPmm7zY0xNQXlKPt6N29ObeAKccLYhQMKArIjV7ttQwvm4O S/YyYo+nNv2DayhlW+SDyAKmn4032TnTEdX9kHNhvg==
X-Google-Smtp-Source: AH8x225lNjqmAFmaPjuu9uk8BCzWGhqnqUpwmk3VaGbifpoDf60k3oD+LOLzJxobLnChZjUToxbzmtBaMVcMNQoZ4AE=
X-Received: by 10.98.102.4 with SMTP id a4mr5750573pfc.210.1516554937354; Sun, 21 Jan 2018 09:15:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.189.150 with HTTP; Sun, 21 Jan 2018 09:15:36 -0800 (PST)
In-Reply-To: <CAHUoETJqbP3cXn8xOa6J9XLYApSTHxdTpaxA-NQVS-UcM8Ci_A@mail.gmail.com>
References: <CAHUoETL6+2XokNy5skB7dzjuzowoL8kV9gNLgd6HeJYiZcXpOQ@mail.gmail.com> <20180117223156.GD3493@michaelspb> <CAHUoETJqbP3cXn8xOa6J9XLYApSTHxdTpaxA-NQVS-UcM8Ci_A@mail.gmail.com>
From: Steve Lhomme <slhomme@matroska.org>
Date: Sun, 21 Jan 2018 18:15:36 +0100
Message-ID: <CAOXsMFJrWb_4MemeQmNpcr8hgDXxXVgJaKL5VhyEUoWwhVa8HQ@mail.gmail.com>
To: Michael Bradshaw <mjbshaw@google.com>
Cc: Michael Niedermayer <michael@niedermayer.cc>, Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/GiF57AFobHegShshihp7pxsbSW4>
Subject: Re: [Cellar] Security considerations: recursive elements
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jan 2018 17:15:40 -0000
2018-01-17 23:47 GMT+01:00 Michael Bradshaw <mjbshaw@google.com>: > Thanks for the responses, all! > > I agree that setting minimum/maximum recursion limits doesn't belong in the > EBML spec. I do think the EBML spec should have a note in the Security > Considerations that EBML Readers need to be cognizant of how they handle > recursive elements and should be resilient to deeply nested recursion > attacks (without giving particular recommendations for how that resilience > is achieved). But EBML itself shouldn't attempt to set any specific limits > on recursion depth. > > The reason I suggested setting some kind of minimum/maximum recursion depth > (for Matroska specifically, not for EBML in general) is because of the > points Michael Niedermayer raises. Setting a minimum allows muxers to write > files with confidence that readers will be able to use/play the data being > written (so long as the minimum isn't exceeded). Setting a maximum let's > muxers know that if they exceed it, they run the risk of making a file that > some readers can't (fully) play. On the writer's side it's easier to know the maximum depth it reached when writing a particular file and write the exact maximum value at the end of the muxing. Security-wise it's stricter than a loose default maximum. > Specifying recursion limits using the example language in my first email ("a > parser SHOULD handle recursion up to X levels deep, and MAY abort the parse > if it reaches Y levels deep") for ChapterAtom and SimpleTag elements would > allow a muxing program to emit a warning to the user if the recursion level > exceeded Y (it's not a fatal error, but it would be nice to let the user > know their file has abnormally deep recursion that might not be compatible > with various parsers). > > On Wed, Jan 17, 2018 at 2:31 PM, Michael Niedermayer > <michael@niedermayer.cc> wrote: >> >> On Wed, Jan 17, 2018 at 12:33:17PM -0800, Michael Bradshaw wrote: >> > The EBML and Matroska specs currently don't mention the possibility of a >> > stack overflow due to deeply nested recursive elements. Currently, >> > there's >> > no limit on the recursion depth (unless I've overlooked it somewhere). >> > >> > I think it would be worth adding to the security section of EBML that >> > one >> > type of attack on an EBML Reader could include deep element recursion. >> > >> >> > Additionally, I would like to see what people think about potentially >> > adding/suggesting an upper limit on recursion (either as a MUST or a >> > MAY). >> > This could also include a lower limit too. For example, something like >> > "a >> > parser SHOULD handle recursion up to X levels deep, and MAY abort the >> > parse >> > if it reaches Y levels deep". >> >> If a limit is specified then theres a limit that every compliant parser >> must support and which a compliant muxer can use. >> >> If no such limit is specified then it is possible that in a system where >> all parts are specification compliant and otherwise compatible it doesnt >> work. >> >> So I think its more a question about what/when compatibility is guranteed >> / what compatibility we want the specification to gurantee >> from that it follows if we need a limit in the specification/draft or not >> >> [...] >> >> -- >> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB >> >> If a bugfix only changes things apparently unrelated to the bug with no >> further explanation, that is a good sign that the bugfix is wrong. >> >> _______________________________________________ >> Cellar mailing list >> Cellar@ietf.org >> https://www.ietf.org/mailman/listinfo/cellar >> > > > _______________________________________________ > Cellar mailing list > Cellar@ietf.org > https://www.ietf.org/mailman/listinfo/cellar > -- Steve Lhomme Matroska association Chairman
- Re: [Cellar] Security considerations: recursive e… Ashley Blewer
- [Cellar] Security considerations: recursive eleme… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Jerome Martinez
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Michael Niedermayer
- Re: [Cellar] Security considerations: recursive e… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Jerome Martinez
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Dave Rice
- Re: [Cellar] Security considerations: recursive e… Peter B.
- Re: [Cellar] Security considerations: recursive e… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Luca Barbato
- Re: [Cellar] Security considerations: recursive e… hubblec4