New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a security consideration about partial messages #728
Conversation
If I understood this right: Doesn't this mean that this exploits a detachment between TCP and a protocol atop TCP, which doesn't inform the application of the arrival of a FIN? In this case, I don't understand the concern raised by @squarooticus in #717: the delivery of "outstanding partial messages" means that the receiver has them in the buffer, and then a FIN arrives - upon reception of the FIN, these "outstanding partial messages" should be delivered. That seems right to me. I may easily be completely off track! But either way, @gorryfair also noted in #717 that the attack should be described, so I don't think that this PR satisfies the issue as it stands. |
A contrived example of the problem is if you intend to execute "rm -rf /some/path" and it somehow gets truncated to "rm -rf /". Protocols need to be designed in such a way that they deal properly with partial messages. I think the proposed text is fine. |
Aha! That's completely different than my reading of the Wikipedia page. Then that's fine, I also agree. |
My 2c: You can always design bad apps: I don't think transports should be designed to do application data checks... applications should do that on the data they send. |
The new text seems to say what it should, although I don't see what this is an "attack", it would happen naturally when communications breaks. |
Maybe we should discuss this. I see the need for something here as twofold:
Specifically because TAPS provides message and layer abstractions (for security and framing), it's imperative that the implementor of each stage of the pipeline preserve the partial/full message distinction because unlike applications built on top of TCP sockets the application author may not have the ability to detect a partial message because windowing/framing at the lower layers aren't exposed to the application. Based on this conversation, it sounds like we do need the text to make this a bit clearer. |
I think this is useful to keep in. Security considerations are always good to point out. Happy to take suggestions for clarity. |
|
||
Applications should also take care to not assume that all data received using the Transport Services API is always | ||
complete or well-formed. Specifically, messages that are received partially {{receive-partial}} could be a source | ||
of truncation attacks if applications do not distinguish between partial messages and complete messages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
of truncation attacks if applications do not distinguish between partial messages and complete messages. | |
of truncation attacks if applications do not distinguish between partial messages and complete messages. | |
The Transport Services system MUST NOT deliver partial data without correctly marking it as partial. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@squarooticus does this work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
fallback or re-establishment is supported in the Transport Services system. | ||
|
||
Applications should also take care to not assume that all data received using the Transport Services API is always | ||
complete or well-formed. Specifically, messages that are received partially {{receive-partial}} could be a source |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarify that complete receives are complete.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM
|
||
Applications should also take care to not assume that all data received using the Transport Services API is always | ||
complete or well-formed. Specifically, messages that are received partially {{receive-partial}} could be a source | ||
of truncation attacks if applications do not distinguish between partial messages and complete messages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGMT with @tfpauly's additions
Closes #717