IETF Logo Mail Archive

Re: [Cellar] Security considerations: recursive elements

Michael Bradshaw <mjbshaw@google.com> Thu, 18 January 2018 17:53 UTC

Return-Path: <mjbshaw@google.com>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF6612D0C3 for <cellar@ietfa.amsl.com>; Thu, 18 Jan 2018 09:53:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l58q6BIVc0zA for <cellar@ietfa.amsl.com>; Thu, 18 Jan 2018 09:53:34 -0800 (PST)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F27BD129C56 for <cellar@ietf.org>; Thu, 18 Jan 2018 09:53:33 -0800 (PST)
Received: by mail-io0-x231.google.com with SMTP id m11so16339171iob.2 for <cellar@ietf.org>; Thu, 18 Jan 2018 09:53:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Q1ilj7FAo5HAgbxGakMUKyQD6+n6bacbpLBNDQwT7AM=; b=mKuR3qOMui1vwnT153D/JioYXCQK3Nw4MDr0vR/DOhvxvzHtK4+vXzc0WfCSPTNOGq 05uo8bpvjfmrJNFYgLMJ2CKcZFNDLn3Q6Pl4ap7tadN5dO+AJcO39Vpz8S9ufdJDzTtZ jPuAPD0QNsmWeYwqjIcM4gQjJIT4Cc6EP6Hf7Z3zhyC7Heu+9sTZ0qHkB+9085Lq7Oqk fauQCA1hU1Al2O9nEZG7k6Uj6/eq7ZWJAspkqcGUxPjhHwvFtaT6uKPLMKZBaBlRkz+E z98xNekSHdctOFHU+zDWYPxezebsXZe8ToWFaZSaW6wBn2HIgd0P7r+BrFw8u3wA7Pca flcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Q1ilj7FAo5HAgbxGakMUKyQD6+n6bacbpLBNDQwT7AM=; b=FyebTPY+n+mNdmwp5/RSu1EpO2+1gAmsPB0SKMPWtIpywK1ajB7HqXyJFWHYSX5hsm kP61QzR0HMlg65pJUyVkXD3rDbWqYKzjZva09Z7vV+DH+Qr0M3jRE/D/GF6tUM9UazXa Icy8YiymDbms/vNhRq/RMBhfFvDWLDezViptyW3sNW1IPJD4G7tVvsrpV+Mzme6Q8kFm Ot6UWNHzrgU08aJOKUMQJvJLULOl78RvXzPdKf4fDyR5ez4IvvdSk51nE0gTDTxpHXEK MDalZCI69J+Lru5XXs4ZchtRj1H8aNWKGi8cSx9RswP8A7MurCRJd50uIcRDoRFRwMkH 3m+g==
X-Gm-Message-State: AKwxyte3dQa+bWWLC5KtVcvu6cbk4RM6u0eL0HytUnBF4ZZlW5kGQusY YJkFASKPbradmvf5TUKghL8xhl1xbQo2tNAsIZoHn08T8w0=
X-Google-Smtp-Source: ACJfBou8P5XumZRaRjAK95xHIyzkKBsPGLwpaIW3g9EnT5u7r7eeXT6MUwsGew/2nvXmJwGakq9gtbVucT7P+rQqrzc=
X-Received: by 10.107.33.65 with SMTP id h62mr16905369ioh.104.1516298012848; Thu, 18 Jan 2018 09:53:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.36.75 with HTTP; Thu, 18 Jan 2018 09:53:12 -0800 (PST)
In-Reply-To: <082fb94e-75ed-bb3f-462d-c56a347af693@mediaarea.net>
References: <CAHUoETL6+2XokNy5skB7dzjuzowoL8kV9gNLgd6HeJYiZcXpOQ@mail.gmail.com> <20180117223156.GD3493@michaelspb> <CAHUoETJqbP3cXn8xOa6J9XLYApSTHxdTpaxA-NQVS-UcM8Ci_A@mail.gmail.com> <082fb94e-75ed-bb3f-462d-c56a347af693@mediaarea.net>
From: Michael Bradshaw <mjbshaw@google.com>
Date: Thu, 18 Jan 2018 09:53:12 -0800
Message-ID: <CAHUoETLiqTe=4tM49yd=bo8Du8coa+9sAN_AKatHCzLNCdDWuQ@mail.gmail.com>
To: Jerome Martinez <jerome@mediaarea.net>
Cc: Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140ffe66e8708056310a4b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/oKBBH-kZuzYJRV_EvrQCHw9w2CE>
Subject: Re: [Cellar] Security considerations: recursive elements
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2018 17:53:36 -0000

On Wed, Jan 17, 2018 at 11:42 PM, Jerome Martinez <jerome@mediaarea.net>
wrote:
>
> I missed the case of recursive elements, specified in EBML.
> for a security section, I don't think that talking about a parser is right


The current EBML specification's Security Consideration section contains a
bulleted list for "Attacks on an EBML Reader" (where an "EBML Reader" is
explicitly defined as a "data parser[...]"). So if we shouldn't be talking
about security considerations for parsers, then that whole bulleted list
should be removed (which I'm opposed to doing). Perhaps I've misunderstood
your point here, though.

I am more in favor of  something like "it is possible to have unlimited
> recursion, potential source of denial of service attacks" in security
> section and
> "An implementation may set limits on the maximum depth of nesting" in a
> parser section (similar to JSON RFC).


My apologies if my previous communications have been unclear, but this is
actually what I'm trying to advocate for, so I think we might agree more
than we realize. While I have been suggesting including minimum/maximum
levels, I think that using something like you've written here (and
completely omitting minimum/maximums) would still be a great improvement.

I do think that also including some kind of minimum/maximum levels could be
useful. I also think that if we do have them, they should use SHOULD/MAY
language instead of MUST. Using SHOULD/MAY would give guidance to
implementors on how they can maximize interoperability while still allowing
them total freedom (the implementation would still be conforming to the
spec even if it went against a SHOULD/MAY guidance).

We don't talk anymore about security, and confidence depends on the
> underlying document e.g. for my EBML document x, I may need only 1 level
> beside the EBML header and it is fine with that, no need of more.
> So:
> - A minimum should not be in Security section (it is not about security)
>

I agree that minimum or even maximum limits should not be placed in the
security section. They belong elsewhere in the Matroska specification
(exactly which section, I don't know). Sorry for not stating this more
clearly in my original email.

- A minimum depends on the goal of the parser, e.g. a parser just checking
> top level element size and CRC for checking a file transfer is fine does
> not need more than 2 levels. Not all tools are video players.


I'm not advocating for HOW the parsers should handle deep recursion (I
probably shouldn't have used the language "abort the parse" in my original
email; it was just meant to be a starting point for the conversation).
Handling it by skipping it is fine. If a particular element is not needed
for the goals of the application, the parser should certainly feel at
liberty to skip over it.

But a player may just ignore any chapter and tag elements and still play
> fine the file.


Yes, the encoded media data can still be parsed/decoded and the media can
still be played. But part of playing a video is showing to the user the
chapter and tag information to the video. If the player ignores the chapter
or tag elements, then the playback experience is incomplete. Not all
players utilize the chapter and tag elements, but those that do will likely
have some kind of upper limit on the level of recursion they can
meaningfully handle.

v2.23.0 | Report a Bug | By Email