[
Lists Home |
Date Index |
Thread Index
]
Tyler Close ha scritto:
>
> Given how the OpenSSL hackers have fared with ASN.1, letting
> web service hackers muck about with ASN.1 seems like a poor idea.
>
> Definitely an issue that must be addressed by those
> advocating use of ASN.1 as a binary encoding of the XML Infoset.
Decoding ASN.1 BER/DER is not particularly difficult. The procedure is
specified in pages 10-37 of X.690 (*), which has been around for two
decades. If there are buggy implementations out there, they are not due to
the alleged complexity of ASN.1, but to careless programming and superficial
testing.
Note that ASN.1 decoding involves a significant amount of validation. You
parse and validate at the same time. Who can make the statement that XML
1.0 parsers which do XML Schema validation while parsing are inherently
simpler than ASN.1 decoders? I believe that the level of complexity is
roughly the same. So, to the extent that bugginess is related to
complexity, these parsers are as subject to bugginess as their ASN.1
counterparts, all other factors being equal.
The solution is, in both cases, designing with safety in mind, better and
safer programming practices and better and more thorough testing, which does
not seem to have happened in the case of those SNMP and OpenSSL
implementations.
Blame the programmers and those who have carelessly used their code, not the
technology.
Alessandro Triglia
OSS Nokalva
-------
(*) http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
>
> Tyler
>
> ---------- Forwarded Message ----------
>
> Subject: [e-lang] Protocol implementation errors
> Date: Thu, 2 Oct 2003 14:50:21 -0700
> From: Bill Frantz <frantz@pwpconsult.com>
> To: cryptography@metzdowd.com
> Cc: e-lang@mail.eros-os.org
>
> From:
> > -- Security Alert Consensus --
> > Number 039 (03.39)
> > Thursday, October 2, 2003
> > Network Computing and the SANS Institute
> > Powered by Neohapsis
> >
> >*** {03.39.004} Cross - OpenSSL ASN.1 parsing vulns
> >
> >OpenSSL versions 0.9.6j and 0.9.7b (as well as prior)
> contain multiple
> >bugs in the parsing of ASN.1 data, leading to denials of
> services. The
> >execution of arbitrary code is not yet confirmed, but it has
> not been
> >ruled out.
>
> This is the second significant problem I have seen in
> applications that use ASN.1 data formats. (The first was in
> a widely deployed implementation of
> SNMP.) Given that good, security conscience programmers have
> difficultly getting ASN.1 parsing right, we should favor
> protocols that use easier to parse data formats.
>
> I think this leaves us with SSH. Are there others?
>
> Cheers - Bill
>
>
> --------------------------------------------------------------
> -----------
> Bill Frantz | "There's nothing so clear as | Periwinkle
> (408)356-8506 | vague idea you haven't written | 16345
> Englewood Ave
> www.pwpconsult.com | down yet." -- Dean Tribble | Los
> Gatos, CA 95032
>
>
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org http://www.eros-os.org/mailman/listinfo/e-lang
>
> -------------------------------------------------------
>
> --
> The union of REST and capability-based security:
http://www.waterken.com/dev/Web/
-----------------------------------------------------------------
The xml-dev list is sponsored by XML.org <http://www.xml.org>, an initiative
of OASIS <http://www.oasis-open.org>
The list archives are at http://lists.xml.org/archives/xml-dev/
To subscribe or unsubscribe from this list use the subscription
manager: <http://lists.xml.org/ob/adm.pl>
|
