[sc34wg3] <mergeMap/> and security

Robert Barta rho at bigpond.net.au
Sat Mar 25 02:02:51 EST 2006


On Fri, Mar 24, 2006 at 06:12:47PM +0100, Lars Heuer wrote:
> While several aspects of the advantages and disadvantages of the
> mergeMap element were discussed here I believe nobody has mentioned
> that the mergeMap feature may be insecure.

Not recently, no.

> Ad hoc I can imagine the following DoS attacks using the mergeMap
> element:
> 
> - Blocking the application:
>   Topic map A contains a reference to topic map B.
>   The attacker serves topic map B very, very slow from his server.

OK, here I can use timeouts to cancel operations.

> - Creating an endless loop
>   Topic map C contains a reference to topic map D where D is a script
>   that generates itself a new
>          <topicMap><mergeMap href="[URI]"/></topicMap>
>   topic map, where [URI] points back to the script and [URI] is
>   changed at every iteration (i.e. using a simple counter).

That is called 'tarpitting' and we use it on various occasions to
annoy spambots, although not with TMbots. Yet.

But, here the application may use a 'nesting level' protection.

There are few other attacks against TM servers. One is simply to
poison the content. Another is more insidious: by clever choice of
subject indication and subject identification, it simply forces a TM
engine to merge A LOT of topics. Maybe even all of them.  And if you
know HOW the TM processor does this, you can specifically watertorture
it.

Yeah, merging should definitely happen under controllable conditions.

\rho


More information about the sc34wg3 mailing list