xml-dev - RE: [xml-dev] Fwd: [e-lang] Protocol implementation errors

RE: [xml-dev] Fwd: [e-lang] Protocol implementation errors

[ Lists Home | Date Index | Thread Index ]

To: "'Rich Salz'" <rsalz@datapower.com>
Subject: RE: [xml-dev] Fwd: [e-lang] Protocol implementation errors
From: "Alessandro Triglia" <sandro@mclink.it>
Date: Fri, 3 Oct 2003 15:19:33 -0400
Cc: <xml-dev@lists.xml.org>
Importance: Normal
In-reply-to: <3F7DC64C.8030801@datapower.com>



> -----Original Message-----
> From: Rich Salz [mailto:rsalz@datapower.com] 
> Sent: Friday, October 03, 2003 14:56
> To: Alessandro Triglia
> Cc: xml-dev@lists.xml.org
> Subject: Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors
> 
> 
> > After over 18 months
> > of close scrutiny, no one has been able to report any architectural 
> > flaw in either the ASN.1 notation or any of the standard encoding 
> > rules, which might have increased the risk of program misbehavior.  
> > The standards are innocent.
> 
> That's a pretty broad claim to make, and I'm not so sure I'd go along 
> with that.  I could imagine playing some interesting games with 
> indefinite-form length (or tag) values that get something 
> "interesting" 
> to happen because they cause wrap-around or (for lengths) make the 
> system consume gobs of memory, hang in a network read waiting for the 
> infinite data that will never come, etc.  Did the 
> scrutinizers think of 
> those things?


Last year, for SNMP, someone built large sets of test cases to exercise all
the features of the encoding that they could think of (including the ones
you mention), and many of the SNMP products failed on one or another.  All
of those cases of failure involved some old and buggy implementation of BER,
which nobody had ever bothered to test appropriately until 2002.  The
problems were then fixed, as far as I know.

Alessandro


> 
> In my experience, fixing "too long" errors for XML parsers 
> has to happen 
>   in only one place.  Fixing them for ASN.1/[BDP]ER parsers requires 
> fixing it every time you nest a structure or list.
> 	/r$
> -- 
> Rich Salz, Chief Security Architect
> DataPower Technology                           
> http://www.datapower.com
> XS40 XML Security Gateway   
> http://www.datapower.com/products/xs40.html
> XML Security Overview  
> http://www.datapower.com/xmldev/xmlsecurity.ht> ml
> 
> 
> 
> 
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org 
> <http://www.xml.org>, an initiative of OASIS 
<http://www.oasis-open.org>

The list archives are at http://lists.xml.org/archives/xml-dev/

To subscribe or unsubscribe from this list use the subscription
manager: <http://lists.xml.org/ob/adm.pl>

Follow-Ups:
- Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors
  - From: Rich Salz <rsalz@datapower.com>

References:
- Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors
  - From: Rich Salz <rsalz@datapower.com>

Prev by Date: Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors
Next by Date: Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors
Previous by thread: Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors
Next by thread: Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors
Index(es):
- Date
- Thread