On Tue, 21 Jul 2009, Michal Zalewski wrote: > The code created an oversized list, which does not seem to be that far > from creating an overly nested DOM tree, or drawing an oversized CANVAS > shape, or any other creating-too-many-things-for-the-renderer-to-handle > attacks... but really, I'm not trying to be dismissive, just saying that > a more holistic approach might be more beneficial in the long run. I agree here. I strongly suspect that as we collectively try to figure out how to solve resource-consumption issues for all kinds of software, we will quickly run into lots of complexity that may well enter the realm of undecidable problems, and/or whose only solutions would require the creation of an application-level resource monitor (thus killing performance) or having some kind of external control of resource allocation (whose solution is generally just to kill the application, still resulting in a DoS). I think that last sentence parsed OK... Web browsers are basically mini-operating systems (which others may have said before). Since they are very closely attached to their underlying operating system, it's not a surprise that they are some of the first to really get hit by these kinds of reports (anti-virus also comes to mind). But if you think of the infinite number of algorithms you could write in Javascript, then it becomes a recipe for the death of a thousand cuts. If you try to load the full XML downloads from cve.mitre.org into your browser, good luck with that - you get CPU and memory consumption very quickly (last time I checked). But is that a vulnerability per se? It almost becomes a "laws-of-physics" vulnerability - if you send too much data to an underpowered system with a small pipe, then a DoS is going to occur because you can't violate the laws of physics. If you enforce some resource restrictions, then you wind up with an incomplete rendering of data (incorrect behavior) at least. In this particular case there's very little effort that the attacker needs to make compared to the amount of CPU/memory that is produced, so the attack-to-benefit workload is asymmetric and it seems reasonable to call this a problem. At some point a line needs to be drawn, though I don't know where that line is. I agree with Michal that a holistic approach could save a lot of people a lot of pain. - Steve P.S. For those who are interested, some focused discussion on the topic starts at http://attrition.org/pipermail/vim/2006-January/000461.html
