[sc34wg3] <mergeMap/> and security

Robert Barta rho at bigpond.net.au
Sat Apr 1 17:37:55 EST 2006

On Fri, Mar 31, 2006 at 03:42:01PM +0200, Lars Marius Garshol wrote:
> * Robert Barta
> >
> >Another is more insidious: by clever choice of subject indication  
> >and subject identification, it simply forces a TM engine to merge A  
> >LOT of topics. Maybe even all of them.

> True.  However, if you validate the additions to the topic map (and
> you should, anyway) then the resulting topic map will not be valid,
> and so the modification will be rolled back.

True, but the insidiousness of the attack is that - once the attacker
has analyzed the merging procedure of a particular software - that the
recipient has very high computational costs.

You can protect yourself from it by limiting the size of the
interchanged fragment, though.


More information about the sc34wg3 mailing list