[sc34wg3] <mergeMap/> and security
Robert Barta
rho at bigpond.net.au
Sat Apr 1 17:37:55 EST 2006
On Fri, Mar 31, 2006 at 03:42:01PM +0200, Lars Marius Garshol wrote:
> * Robert Barta
> >
> >Another is more insidious: by clever choice of subject indication
> >and subject identification, it simply forces a TM engine to merge A
> >LOT of topics. Maybe even all of them.
> True. However, if you validate the additions to the topic map (and
> you should, anyway) then the resulting topic map will not be valid,
> and so the modification will be rolled back.
True, but the insidiousness of the attack is that - once the attacker
has analyzed the merging procedure of a particular software - that the
recipient has very high computational costs.
You can protect yourself from it by limiting the size of the
interchanged fragment, though.
\rho
More information about the sc34wg3
mailing list