Add a security consideration about partial messages #728
Conversation
|
If I understood this right: Doesn't this mean that this exploits a detachment between TCP and a protocol atop TCP, which doesn't inform the application of the arrival of a FIN? In this case, I don't understand the concern raised by @squarooticus in #717: the delivery of "outstanding partial messages" means that the receiver has them in the buffer, and then a FIN arrives - upon reception of the FIN, these "outstanding partial messages" should be delivered. That seems right to me. I may easily be completely off track! But either way, @gorryfair also noted in #717 that the attack should be described, so I don't think that this PR satisfies the issue as it stands. |
|
A contrived example of the problem is if you intend to execute "rm -rf /some/path" and it somehow gets truncated to "rm -rf /". Protocols need to be designed in such a way that they deal properly with partial messages. I think the proposed text is fine. |
|
Aha! That's completely different than my reading of the Wikipedia page. Then that's fine, I also agree. |
|
My 2c: You can always design bad apps: I don't think transports should be designed to do application data checks... applications should do that on the data they send. |
|
The new text seems to say what it should, although I don't see what this is an "attack", it would happen naturally when communications breaks. |
|
Maybe we should discuss this. I see the need for something here as twofold:
Specifically because TAPS provides message and layer abstractions (for security and framing), it's imperative that the implementor of each stage of the pipeline preserve the partial/full message distinction because unlike applications built on top of TCP sockets the application author may not have the ability to detect a partial message because windowing/framing at the lower layers aren't exposed to the application. Based on this conversation, it sounds like we do need the text to make this a bit clearer. |
|
I think this is useful to keep in. Security considerations are always good to point out. Happy to take suggestions for clarity. |
|
|
||
| Applications should also take care to not assume that all data received using the Transport Services API is always | ||
| complete or well-formed. Specifically, messages that are received partially {{receive-partial}} could be a source | ||
| of truncation attacks if applications do not distinguish between partial messages and complete messages. |
There was a problem hiding this comment.
| of truncation attacks if applications do not distinguish between partial messages and complete messages. | |
| of truncation attacks if applications do not distinguish between partial messages and complete messages. | |
| The Transport Services system MUST NOT deliver partial data without correctly marking it as partial. |
There was a problem hiding this comment.
@squarooticus does this work?
| fallback or re-establishment is supported in the Transport Services system. | ||
|
|
||
| Applications should also take care to not assume that all data received using the Transport Services API is always | ||
| complete or well-formed. Specifically, messages that are received partially {{receive-partial}} could be a source |
There was a problem hiding this comment.
Clarify that complete receives are complete.
|
|
||
| Applications should also take care to not assume that all data received using the Transport Services API is always | ||
| complete or well-formed. Specifically, messages that are received partially {{receive-partial}} could be a source | ||
| of truncation attacks if applications do not distinguish between partial messages and complete messages. |
Closes #717