IETF Logo Mail Archive

Re: [Cellar] Security considerations: recursive elements

Steve Lhomme <slhomme@matroska.org> Sun, 21 January 2018 17:11 UTC

Return-Path: <slhomme@matroska.org>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C94F126D73 for <cellar@ietfa.amsl.com>; Sun, 21 Jan 2018 09:11:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=matroska-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UulfYyje1NeP for <cellar@ietfa.amsl.com>; Sun, 21 Jan 2018 09:11:00 -0800 (PST)
Received: from mail-pg0-x22c.google.com (mail-pg0-x22c.google.com [IPv6:2607:f8b0:400e:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2612126CE8 for <cellar@ietf.org>; Sun, 21 Jan 2018 09:11:00 -0800 (PST)
Received: by mail-pg0-x22c.google.com with SMTP id g16so5219756pgn.7 for <cellar@ietf.org>; Sun, 21 Jan 2018 09:11:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matroska-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=i7gh5/iD+f4RVQwvb57I6E4tFzi+HXWhYrKV4750eGY=; b=CBr5aT0CF8ojHJMTwqoyKX7YuubsKY2ktrCBv2G+Gpx1UHCX9pp9XMsTa//yxb5dCC gnOEVeAq0X1DKmDXA0RP3k6PM0qQQhnYjJqh/tgl9JDr/Weqe8V3yvXtw1yAvEDcdibA OfxNBPrZtK8B3zv9KiOur8Bc0PV4wvth8XwYhuHMyu+cru6nVZ4JDUASsQMjXRaT7zb0 BgYVH9LAjsgziMhGoPdiLQeCM/Lk+kGW/+XHdhK0kKB1C83J3+wP4U7CsOoKO9Pt2l8n /EEgsMKV0z2A9V1NglDo/m2R6PR6Qk4cp2ghGPXxpw9OvxDez51ieF9QTpV1lk86XOci B9ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=i7gh5/iD+f4RVQwvb57I6E4tFzi+HXWhYrKV4750eGY=; b=o07hOMpfQM5BrWyaxVPogwles7EEz255auGMoD+VMCigIdo+/YE5NWVrq2txJfE4mB Pf7UeMS4okQUmwzLVEGkivud09cTJqlaMM/RqkqH8KDtU7MUOg4YhlID42lkHSCadNPz 7NwemhdpMQrkP6lC9Oh5vNG2Ylo4WRTtyET4su/Ck3fVvKdYlmO7YomKqDDrgS1GVsic Js1pLlVRUp7vB+N6eqDudqzvGvJjQYHeouOdXupsmUghar8Pb/X01UKCQiVk7uKcPRPs fKCvuF7qVUiA/NQcf/PmM4Zx4gAIqASoFSUIsqsBcBiamKXB3zyejdSCdA94+lMHjKxc awoQ==
X-Gm-Message-State: AKwxyteJuEa2cPMaFtZ2bTrvdRuxNRYIARR7vRb8V9UrOccREGvJFiWQ TrgTwdIu7UY+TVdfDl+1g117PTeNT4fJLnDCfju4tNcU
X-Google-Smtp-Source: AH8x227vDZe5XBDeF7OqCM1FlTZBdBNkIZwjuD9rT/+mCJnhjQhVgdpEj1uZOQ49uzkC9HpQQdaTd5QqwyWz/+bONAw=
X-Received: by 10.99.147.21 with SMTP id b21mr4844894pge.318.1516554660027; Sun, 21 Jan 2018 09:11:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.189.150 with HTTP; Sun, 21 Jan 2018 09:10:59 -0800 (PST)
In-Reply-To: <CAHUoETLiqTe=4tM49yd=bo8Du8coa+9sAN_AKatHCzLNCdDWuQ@mail.gmail.com>
References: <CAHUoETL6+2XokNy5skB7dzjuzowoL8kV9gNLgd6HeJYiZcXpOQ@mail.gmail.com> <20180117223156.GD3493@michaelspb> <CAHUoETJqbP3cXn8xOa6J9XLYApSTHxdTpaxA-NQVS-UcM8Ci_A@mail.gmail.com> <082fb94e-75ed-bb3f-462d-c56a347af693@mediaarea.net> <CAHUoETLiqTe=4tM49yd=bo8Du8coa+9sAN_AKatHCzLNCdDWuQ@mail.gmail.com>
From: Steve Lhomme <slhomme@matroska.org>
Date: Sun, 21 Jan 2018 18:10:59 +0100
Message-ID: <CAOXsMFJP-NcuNEBwRDR4TAMjTEz-LQiOoL45_aAj8qvgbJ6ToA@mail.gmail.com>
To: Michael Bradshaw <mjbshaw@google.com>
Cc: Jerome Martinez <jerome@mediaarea.net>, Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/enjGYGmnPeArDzMICNs-2LG87GE>
Subject: Re: [Cellar] Security considerations: recursive elements
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jan 2018 17:11:02 -0000

(starting to reply from the bottom of the thread)

2018-01-18 18:53 GMT+01:00 Michael Bradshaw <mjbshaw@google.com>:
> On Wed, Jan 17, 2018 at 11:42 PM, Jerome Martinez <jerome@mediaarea.net>
> wrote:
>>
>> I missed the case of recursive elements, specified in EBML.
>> for a security section, I don't think that talking about a parser is right
>
>
> The current EBML specification's Security Consideration section contains a
> bulleted list for "Attacks on an EBML Reader" (where an "EBML Reader" is
> explicitly defined as a "data parser[...]"). So if we shouldn't be talking
> about security considerations for parsers, then that whole bulleted list
> should be removed (which I'm opposed to doing). Perhaps I've misunderstood
> your point here, though.

I agree with Michael, this is a legitimate attack and it should be
mentioned. Putting limits is a different topic that would probably go
in a different section of the specs.

>> I am more in favor of  something like "it is possible to have unlimited
>> recursion, potential source of denial of service attacks" in security
>> section and
>> "An implementation may set limits on the maximum depth of nesting" in a
>> parser section (similar to JSON RFC).
>
>
> My apologies if my previous communications have been unclear, but this is
> actually what I'm trying to advocate for, so I think we might agree more
> than we realize. While I have been suggesting including minimum/maximum
> levels, I think that using something like you've written here (and
> completely omitting minimum/maximums) would still be a great improvement.
>
> I do think that also including some kind of minimum/maximum levels could be
> useful. I also think that if we do have them, they should use SHOULD/MAY
> language instead of MUST. Using SHOULD/MAY would give guidance to
> implementors on how they can maximize interoperability while still allowing
> them total freedom (the implementation would still be conforming to the spec
> even if it went against a SHOULD/MAY guidance).

I agree with that too. EBMLMaxSizeLength was mentioned in the thread
and it would make sense to make a recursion limit per file in the EBML
header. That would let parsers know if they can handle the file or not
in advance and/or detect security attacks.

We could either have a default value for that element or none which
means there's no de-facto maximum.

It also not be an element but something more complex, since the amount
of recursion allowed may differ between elements (see nested tags vs
nested chapters). But it may be easier for the reader and the writer
to have only one limit for all.

In any case a default maximum valu would belong in the Matroska
specifications, not the EBML ones.

>> We don't talk anymore about security, and confidence depends on the
>> underlying document e.g. for my EBML document x, I may need only 1 level
>> beside the EBML header and it is fine with that, no need of more.
>> So:
>> - A minimum should not be in Security section (it is not about security)
>
>
> I agree that minimum or even maximum limits should not be placed in the
> security section. They belong elsewhere in the Matroska specification
> (exactly which section, I don't know). Sorry for not stating this more
> clearly in my original email.

We all agree.

>> - A minimum depends on the goal of the parser, e.g. a parser just checking
>> top level element size and CRC for checking a file transfer is fine does not
>> need more than 2 levels. Not all tools are video players.
>
>
> I'm not advocating for HOW the parsers should handle deep recursion (I
> probably shouldn't have used the language "abort the parse" in my original
> email; it was just meant to be a starting point for the conversation).
> Handling it by skipping it is fine. If a particular element is not needed
> for the goals of the application, the parser should certainly feel at
> liberty to skip over it.
>
>> But a player may just ignore any chapter and tag elements and still play
>> fine the file.

Not if the ordered chapters are truncated by enforcing a bogus maximum.

> Yes, the encoded media data can still be parsed/decoded and the media can
> still be played. But part of playing a video is showing to the user the
> chapter and tag information to the video. If the player ignores the chapter
> or tag elements, then the playback experience is incomplete. Not all players
> utilize the chapter and tag elements, but those that do will likely have
> some kind of upper limit on the level of recursion they can meaningfully
> handle.
>
> _______________________________________________
> Cellar mailing list
> Cellar@ietf.org
> https://www.ietf.org/mailman/listinfo/cellar
>



-- 
Steve Lhomme
Matroska association Chairman

v2.23.0 | Report a Bug | By Email