Re: [Cellar] Security considerations: recursive elements
Jerome Martinez <jerome@mediaarea.net> Thu, 18 January 2018 07:42 UTC
Return-Path: <jerome@mediaarea.net>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FC8512D944 for <cellar@ietfa.amsl.com>; Wed, 17 Jan 2018 23:42:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7j9LVCYjRKN4 for <cellar@ietfa.amsl.com>; Wed, 17 Jan 2018 23:42:45 -0800 (PST)
Received: from 8.mo5.mail-out.ovh.net (8.mo5.mail-out.ovh.net [178.32.116.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 771FD12D832 for <cellar@ietf.org>; Wed, 17 Jan 2018 23:42:45 -0800 (PST)
Received: from player786.ha.ovh.net (b7.ovh.net [213.186.33.57]) by mo5.mail-out.ovh.net (Postfix) with ESMTP id 2D2BB17C6BD for <cellar@ietf.org>; Thu, 18 Jan 2018 08:42:42 +0100 (CET)
Received: from [192.168.2.120] (p5DDB56EF.dip0.t-ipconnect.de [93.219.86.239]) (Authenticated sender: jerome@mediaarea.net) by player786.ha.ovh.net (Postfix) with ESMTPSA id 903E9800A6 for <cellar@ietf.org>; Thu, 18 Jan 2018 08:42:41 +0100 (CET)
To: cellar@ietf.org
References: <CAHUoETL6+2XokNy5skB7dzjuzowoL8kV9gNLgd6HeJYiZcXpOQ@mail.gmail.com> <20180117223156.GD3493@michaelspb> <CAHUoETJqbP3cXn8xOa6J9XLYApSTHxdTpaxA-NQVS-UcM8Ci_A@mail.gmail.com>
From: Jerome Martinez <jerome@mediaarea.net>
Message-ID: <082fb94e-75ed-bb3f-462d-c56a347af693@mediaarea.net>
Date: Thu, 18 Jan 2018 08:42:42 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <CAHUoETJqbP3cXn8xOa6J9XLYApSTHxdTpaxA-NQVS-UcM8Ci_A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
X-Ovh-Tracer-Id: 5760666874554224785
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtvddrtdefgdduudegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecufedttdenuc
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/iqOuGPVwEtLRMVPVaa1gGNp4rbQ>
Subject: Re: [Cellar] Security considerations: recursive elements
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2018 07:42:48 -0000
On 17/01/2018 23:47, Michael Bradshaw wrote: > Thanks for the responses, all! > > I agree that setting minimum/maximum recursion limits doesn't belong > in the EBML spec. I do think the EBML spec should have a note in the > Security Considerations that EBML Readers need to be cognizant of how > they handle recursive elements I missed the case of recursive elements, specified in EBML. for a security section, I don't think that talking about a parser is right, reading https://tools.ietf.org/html/rfc3552 it seems to more about usage of the correct behavior of a protocol rather than badly implemented parser, I am more in favor of something like "it is possible to have unlimited recursion, potential source of denial of service attacks" in security section and "An implementation may set limits on the maximum depth of nesting" in a parser section (similar to JSON RFC). > and should be resilient to deeply nested recursion attacks (without > giving particular recommendations for how that resilience is > achieved). But EBML itself shouldn't attempt to set any specific > limits on recursion depth. > > The reason I suggested setting some kind of minimum/maximum recursion > depth (for Matroska specifically, not for EBML in general) is because > of the points Michael Niedermayer raises. Setting a minimum allows > muxers to write files with confidence that readers will be able to > use/play the data being written (so long as the minimum isn't exceeded). We don't talk anymore about security, and confidence depends on the underlying document e.g. for my EBML document x, I may need only 1 level beside the EBML header and it is fine with that, no need of more. So: - A minimum should not be in Security section (it is not about security) - A minimum depends on the goal of the parser, e.g. a parser just checking top level element size and CRC for checking a file transfer is fine does not need more than 2 levels. Not all tools are video players. > Setting a maximum let's muxers know that if they exceed it, they run > the risk of making a file that some readers can't (fully) play. As far as I know, there is nothing mandatory: tags are not mandatory, a specific stream format is not mandatory, it would be a full new part if we say what a reader should play, with lot of debates (chapters mandatory? tags display mandatory? FFV1 mandatory? H.265 and its royalties mandatory? NTSC only or 8K? Subtitles support mandatory? color description mandatory? maximum length of a text in a tag? can we have a gap in streams?). IMO we talk about a file format and not about what a reader expects to fully play. > > Specifying recursion limits using the example language in my first > email ("a parser SHOULD handle recursion up to X levels deep, and MAY > abort the parse if it reaches Y levels deep") for ChapterAtom and > SimpleTag elements would allow a muxing program to emit a warning to > the user if the recursion level exceeded Y (it's not a fatal error, > but it would be nice to let the user know their file has abnormally > deep recursion that might not be compatible with various parsers). But a player may just ignore any chapter and tag elements and still play fine the file. IMO expected supported elements of Matroska is a different document (e.g. a document about a reader capability? I usually see that with a "format compliance program", having lot of sample files), not in format description which is more general and does not say what element is mandatory, just how to store it. I don't say that it is a bad idea, just that I don't think that saying minimal requirements or warnings about potentially unsupported nesting level should be in a bitstream specification permitting lot of optional parts. Jérôme
- Re: [Cellar] Security considerations: recursive e… Ashley Blewer
- [Cellar] Security considerations: recursive eleme… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Jerome Martinez
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Michael Niedermayer
- Re: [Cellar] Security considerations: recursive e… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Jerome Martinez
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Dave Rice
- Re: [Cellar] Security considerations: recursive e… Peter B.
- Re: [Cellar] Security considerations: recursive e… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Luca Barbato
- Re: [Cellar] Security considerations: recursive e… hubblec4