[sc34wg3] <mergeMap/> and security
rho at bigpond.net.au
Sat Apr 1 17:37:55 EST 2006
On Fri, Mar 31, 2006 at 03:42:01PM +0200, Lars Marius Garshol wrote:
> * Robert Barta
> >Another is more insidious: by clever choice of subject indication
> >and subject identification, it simply forces a TM engine to merge A
> >LOT of topics. Maybe even all of them.
> True. However, if you validate the additions to the topic map (and
> you should, anyway) then the resulting topic map will not be valid,
> and so the modification will be rolled back.
True, but the insidiousness of the attack is that - once the attacker
has analyzed the merging procedure of a particular software - that the
recipient has very high computational costs.
You can protect yourself from it by limiting the size of the
interchanged fragment, though.
More information about the sc34wg3