IETF Logo Mail Archive

Re: [Cellar] Security considerations: recursive elements

Michael Bradshaw <mjbshaw@google.com> Wed, 17 January 2018 22:47 UTC

Return-Path: <mjbshaw@google.com>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82E1412D886 for <cellar@ietfa.amsl.com>; Wed, 17 Jan 2018 14:47:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jy6js4Gvej2i for <cellar@ietfa.amsl.com>; Wed, 17 Jan 2018 14:47:57 -0800 (PST)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B53FB12D875 for <cellar@ietf.org>; Wed, 17 Jan 2018 14:47:57 -0800 (PST)
Received: by mail-it0-x233.google.com with SMTP id q8so11246646itb.2 for <cellar@ietf.org>; Wed, 17 Jan 2018 14:47:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1Eaayh+JBVio0z7yc2g5F+9SVL8g3kK0FE1wBKrVHds=; b=cX8hLArWxD3y5hOgwZa0eDDDa7Y9Q22eoXjx6HYnZsWeU2DD1xIQVXUTdEv3mE6crj Dey4mL5eyRDv+iT3GUqlWQ8a2W5qqZqeYZYtg4JjpMqaDXa10PJIpv2/kj+Wd9+5i8fQ z2GYITTrV6stDbKGeGeuKJX3sbBzw1vydr3/IRNQ5NOWpv1VM57ELpO9/nFTP3mlv5dh /FhgBv7h/tHmao+C9+fAKDfrL2mxh5psswHg7d5tfVD02y+p2t4F+gQuwohgMHwbvnwy 3LC4BtQJScz8dM5hH6Bq4uTeDANIvTXR50c7SaxQ9ypQJo/BePM0c1/+OvRIyQiOMeoo RyTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1Eaayh+JBVio0z7yc2g5F+9SVL8g3kK0FE1wBKrVHds=; b=g9DZFC5fvf1aQp8PE9WL+OUwn77/Q+22+JAYS5k+XJq5H0BIf7qrMZ/qH312P0J6F3 OFgnY05PGaAmGYBYYlbyXw2gNqE724G5m4AOFWyBq9C4KKMct/Z79GuQhhXptXlkNGMY nlxei44MYQO0mLfrMnzydnCplAqW6XvY3mYYL790OU05yFPBwFtbCpYzjX6AIjoYWOOg ddzsfTtwvk2XpZyzLcK+fu6DFZ47qWMVQ/+1iWdgjCHuprUZ7LBi2YVfKIfa10mO9WEH fj4s98CSjbtx+9J6hJjBx8gRA0q7WFZSg8M3WyDdsBB8ZrDRyAnSTYaw3WWbmBD8HlmX fpZQ==
X-Gm-Message-State: AKwxytdIojGzmP7h3ZCwIS5VZmIkRC7KRw0yysOt7BdM3yAJBhVOUXxj kliTFx3h+emUbIf25HGb6fE2nkbE/d5fhbqFaeVsCy71WF4=
X-Google-Smtp-Source: ACJfBosfjlfLCnddidzpGVznIH84yXBVVapdO6Yeitve/MJ4KaO9YGQ9minZty+Bwsc2xxsK92tYpVSyI2cHIyudMVk=
X-Received: by 10.36.20.145 with SMTP id 139mr16090619itg.15.1516229276543; Wed, 17 Jan 2018 14:47:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.36.75 with HTTP; Wed, 17 Jan 2018 14:47:35 -0800 (PST)
In-Reply-To: <20180117223156.GD3493@michaelspb>
References: <CAHUoETL6+2XokNy5skB7dzjuzowoL8kV9gNLgd6HeJYiZcXpOQ@mail.gmail.com> <20180117223156.GD3493@michaelspb>
From: Michael Bradshaw <mjbshaw@google.com>
Date: Wed, 17 Jan 2018 14:47:35 -0800
Message-ID: <CAHUoETJqbP3cXn8xOa6J9XLYApSTHxdTpaxA-NQVS-UcM8Ci_A@mail.gmail.com>
To: Michael Niedermayer <michael@niedermayer.cc>
Cc: Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>
Content-Type: multipart/alternative; boundary="001a1143e54c6da1c4056300a3ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/OK80QqWVkx4TPHdsC7YrVHAOrb4>
Subject: Re: [Cellar] Security considerations: recursive elements
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2018 22:47:59 -0000

Thanks for the responses, all!

I agree that setting minimum/maximum recursion limits doesn't belong in the
EBML spec. I do think the EBML spec should have a note in the Security
Considerations that EBML Readers need to be cognizant of how they handle
recursive elements and should be resilient to deeply nested recursion
attacks (without giving particular recommendations for how that resilience
is achieved). But EBML itself shouldn't attempt to set any specific limits
on recursion depth.

The reason I suggested setting some kind of minimum/maximum recursion depth
(for Matroska specifically, not for EBML in general) is because of the
points Michael Niedermayer raises. Setting a minimum allows muxers to write
files with confidence that readers will be able to use/play the data being
written (so long as the minimum isn't exceeded). Setting a maximum let's
muxers know that if they exceed it, they run the risk of making a file that
some readers can't (fully) play.

Specifying recursion limits using the example language in my first email
("a parser SHOULD handle recursion up to X levels deep, and MAY abort the
parse if it reaches Y levels deep") for ChapterAtom and SimpleTag elements
would allow a muxing program to emit a warning to the user if the recursion
level exceeded Y (it's not a fatal error, but it would be nice to let the
user know their file has abnormally deep recursion that might not be
compatible with various parsers).

On Wed, Jan 17, 2018 at 2:31 PM, Michael Niedermayer <michael@niedermayer.cc
> wrote:

> On Wed, Jan 17, 2018 at 12:33:17PM -0800, Michael Bradshaw wrote:
> > The EBML and Matroska specs currently don't mention the possibility of a
> > stack overflow due to deeply nested recursive elements. Currently,
> there's
> > no limit on the recursion depth (unless I've overlooked it somewhere).
> >
> > I think it would be worth adding to the security section of EBML that one
> > type of attack on an EBML Reader could include deep element recursion.
> >
>
> > Additionally, I would like to see what people think about potentially
> > adding/suggesting an upper limit on recursion (either as a MUST or a
> MAY).
> > This could also include a lower limit too. For example, something like "a
> > parser SHOULD handle recursion up to X levels deep, and MAY abort the
> parse
> > if it reaches Y levels deep".
>
> If a limit is specified then theres a limit that every compliant parser
> must support and which a compliant muxer can use.
>
> If no such limit is specified then it is possible that in a system where
> all parts are specification compliant and otherwise compatible it doesnt
> work.
>
> So I think its more a question about what/when compatibility is guranteed
> / what compatibility we want the specification to gurantee
> from that it follows if we need a limit in the specification/draft or not
>
> [...]
>
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> If a bugfix only changes things apparently unrelated to the bug with no
> further explanation, that is a good sign that the bugfix is wrong.
>
> _______________________________________________
> Cellar mailing list
> Cellar@ietf.org
> https://www.ietf.org/mailman/listinfo/cellar
>
>

v2.23.0 | Report a Bug | By Email