[sc34wg3] <mergeMap/> and security
Lars Heuer
heuer at semagia.com
Fri Mar 24 12:12:47 EST 2006
Hi all,
While several aspects of the advantages and disadvantages of the
mergeMap element were discussed here I believe nobody has mentioned
that the mergeMap feature may be insecure.
I think XTM is considered as one of the essential technologies that
will enable TM applications to talk to each other and to share their
knowledge encoded in topic maps.
Ad hoc I can imagine the following DoS attacks using the mergeMap
element:
- Blocking the application:
Topic map A contains a reference to topic map B.
The attacker serves topic map B very, very slow from his server.
- Creating an endless loop
Topic map C contains a reference to topic map D where D is a script
that generates itself a new
<topicMap><mergeMap href="[URI]"/></topicMap>
topic map, where [URI] points back to the script and [URI] is
changed at every iteration (i.e. using a simple counter).
IMO these scenarios are not very appealing and offering
possibilities for such an attack via an *interchange* syntax is a bad
idea.
The mentioned attacks are possible with XTM 1.0, we should take care
that they are not possible with XTM 2.0. We should remove the
"mergeMap" element from XTM 2.0.
The argument that the applications that read the XTM could be
configured that they ignore the "mergeMap" element is not very good
because once we've the "mergeMap" element in the syntax, authors will
use it and expect that it will be proceed according to the XTM
standard.
Best regards,
Lars
--
http://semagia.com
More information about the sc34wg3
mailing list