[x3d-public] [x3d] Spec Comment by brutzman on 19775-1: Abstract X3D Definitions - IMPORT/Inline recursion
Don Brutzman
brutzman at nps.edu
Mon Jan 2 14:05:31 PST 2017
[spec issue moved to:x3d-public for community consideration]
Summary: self-referential IMPORT or Inline recursion needs to be forbidden as a security vulnerability.
Thinking a bit more on this: IMPORT recursion problems only occur if Inline recursion is also defined at the same time. So that might simplify implementation of run-time prevention checks.
Nevertheless each is a significant issue and both authors & toolbuilders need to be aware of each vulnerability vector.
Thus am still thinking that both Inline and IMPORT are worth specification entries.
Further thinking on security is always welcome. Have updated the Vulnerabilities subsection for
X3D Resources: Security
http://www.web3d.org/x3d/content/examples/X3dResources.html#Security
Thanks to John Carlson for separately testing and reporting a related problem in X3D Java SAI Library, which in turn led to this line of thought.
Happy New Year. Be safe out there! :0
On 1/2/2017 12:44 PM, Spec Feedback wrote:
> Comment on 19775-1: Abstract X3D Definitions - V3.3
> 9.2.5 IMPORT statement
> http://www.web3d.org/documents/specifications/19775-1/V3.3/Part01/components/networking.html#IMPORTStatement
>
> -----------------
> Subject: IMPORT recursion needs to be forbidden
>
> A child scene must EXPORT a local DEF node in order for another scene to
> IMPORT it.
>
> If a scene directly or indirectly tries to IMPORT itself, this combination
> leads to non-terminating recursion.
>
> This problem is both a run-time flaw and a security vulnerability.
>
> Related overdue work: perform a full security review of all X3D
> specifications and come up with a consistent and comprehensive way to
> document security vulnerabilities.
>
> Suggest prose addition to specification:
>
> "A scene must not IMPORT itself, directly or indirectly, in order to avoid
> nonterminating recursion. X3D players SHALL NOT honor self-referential
> IMPORT loops in order to avoid security vulnerabilities."
> -----------------
>
> Submitted on Monday, 2017, January 2 - 12:44pm
> by brutzman (brutzman )
> IP: 162.225.68.164
>
> See: http://www.web3d.org/node/1694/submission/1165
> Comment on 19775-1: Abstract X3D Definitions - V3.3
> 9.4.2 Inline
> http://www.web3d.org/documents/specifications/19775-1/V3.3/Part01/components/networking.html#Inline
>
> -----------------
> Subject: Inline recursion needs to be forbidden
>
> If a scene directly or indirectly tries to Inline itself, non-terminating
> recursion is the likely result.
>
> This problem is both a run-time flaw and a security vulnerability.
>
> Related overdue work: perform a full security review of all X3D
> specifications and come up with a consistent and comprehensive way to
> document security vulnerabilities.
>
> Suggest prose addition to specification:
>
> "A scene must not Inline itself, directly or indirectly, in order to avoid
> nonterminating recursion. X3D players SHALL NOT honor self-referential
> Inline loops in order to avoid security vulnerabilities."
>
> Related: self-referential IMPORT recursion, reported separately.
> -----------------
all the best, Don
--
Don Brutzman Naval Postgraduate School, Code USW/Br brutzman at nps.edu
Watkins 270, MOVES Institute, Monterey CA 93943-5000 USA +1.831.656.2149
X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman
More information about the x3d-public
mailing list