May be There Exists a DoS Attack Opportunity

Question

May be There Exists a DoS Attack Opportunity

martinvahi opened this issue 7 years ago · 4 comments

I do not know anything about the internals of the elle library, but
at echo_server.cc, line 61 there is the following code:

while (true)
    {
    // Yield until reading "<...>\n".
    elle::Buffer line = socket->read_until("\n");
    // Write the line we just get (this yields too).
    socket->write(line);
    }

Depending on the implementation and possible limits set somewhere in the
implementation of the elle library, the line

    elle::Buffer line = socket->read_until("\n");

might allow an attack, where the input stream contains about
1TB worth of characters without containing a single line break.
That might exhaust the RAM of the computer or just crash the
application, if the limits are met.
If the read_until(...) is part of the infinit, then may be in some corner case
it might also crash the infinit server.

Answer 1 · 2017-09-11T08:43:34.000Z

Hi @martinvahi.

You are totally right, but echo_server.cc is an example that is not intended to provide production ready code.

However, I'll review our code base and make sure we took this possible attack into consideration.

Thanks.

Answer 2 · 2017-09-12T09:54:28.000Z

A younger, less experienced, version of me would NOT have noticed that security flaw.
I'm sure that the current version of me is also pretty stupid, but
I can comfort myself with the idea that the situation is kind of
hopeless, as I described at my 2014 blog post titled:
The Future of Security Audits, Episode 0
So, please expect Your example code to be copy-pasted
by novice software developers. Most security flaws that You leave
to Your examples, will be at their code, almost verbatim.

Answer 3 · 2017-09-12T11:00:43.000Z

I absolutely get your point, and even agree in a sense. However, this is a "get started" example for the coroutine engine, which is already a big concept to assimilate. Making the example DoS resistant would likely triple the size of the code - line length is not the only point of attack. This would drown the user trying to teach himself about Elle in memory managment details, and completely shadow the point of how coroutines work. We are going to respectfully disagree here.

Answer 4 · 2017-09-12T15:24:09.000Z

Thank You for the answer(s). Obviously it's Your project and
according to my development religion it's then also
Your decision even, if I were a nasty dictator sending my Police force to
"enforce my law", but one thing that You might
consider is to add a small comment to the example. For instance:

//-------------------------------------
// This is a toy example, where the conciseness of the source code
// has higher priority than reliability. In production code the line

    elle::Buffer line = socket->read_until("\n");

// allows a Denial of Service attack to be carried out by
// sending a single line of text that has 1TB worth of ASCII characters.
//-------------------------------------

I hope that it helps :-)