ietf-mxcomp
[Top] [All Lists]

Re: Why not XML

2004-06-23 08:20:09


----- Original Message ----- 
From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
To: "'John Levine'" <johnl(_at_)iecc(_dot_)com>; 
<ietf-mxcomp(_at_)imc(_dot_)org>
Cc: <jrk(_at_)merseymail(_dot_)com>
Sent: Wednesday, June 23, 2004 10:14 AM
Subject: RE: Why not XML



I'd be very surprised if XML MARID documents exercised every single
line of code in your XML library, so the absolute size of the
library isn't necessarily significant, is it?

Bad guys can publish any complex and hostile MARID documents they
want.  Typical MARID documents are indeed likely to be pretty simple,
but if word gets around that there's a bug in an XML library, how long
will it take until there's MARID data to exploit it?  Minutes, I'd
guess.

This is uninformed scaremongering.

Maybe,  but it also a reality.

If there is a bug in the XML parser libraries in use today it will be
quickly uncovered by other applications where the consequences are likely
to be more than a DDoS attack.

But as the CodeRed Principle as shown, there will always be enough of a
legacy market to still be effective.  That is the key most "Ah HA!"
discovery, although obvious, that all the hackers have based thier continued
hacking on.  Its no longer a "Its not worth it." idea.  It is 'Lets do it
and put it out there. Its bound to find a good number of vulnerable
systems."     Geez, we still get daily doses of the original CodeRed HTTP
request exploits shown in our logs and I keep getting people asking "Hey,
what is that?"    Go Figure.

The advantage of using standards is that you test out your software
components in multiple environments. The XML parser in windows is
used by IE, web services, etc. etc. The XML parser in apache has been
extensively tested in other programs.

Yes, modular programming is benefitial. Both for technical and management
reasons.  But it is based on having a solid development and design, well
tested and not put out before its time.

Over the years, can you vouch for Microsoft having a solid engineering team
with enough foresight?  XP was suppose to be the next secured OS. Well, it
turned out to be among the most unsecured OS to to the point the next XP
update will fundamentally change a few things and also BREAK alot of
software.

Anyway,  can you vouch that some undocumented enbedded XML attribute that
does some undocumented logic doing the object instantiation and parsing is
not going to be there?

Keep in mind, most people are going to use XML libraries and to do so
requires a level of trust and confidence there is not going to be any
problems.

Look, we know that the messaging world is currently adopting a major
XML based standard - RSS/ATOM. It has already adopted HTML and may
well adopt Jabber as a standard, if not Jabber whatever does succeed
in that space will be a Web Service.

But XML is just a interchange format.  It might be a storage format for a
NEW systems. But not for standard systems already in place.  i.e,  XML Web
service as a interface into our database backend.  That does mean we will
use XML for storage.  That would be ludricrous.  Maybe for a new system just
getting into the message world.  But I don't see this as became the standard
method across the board.

And in any case, if you are still using a language that is vulnerable to
buffer overflow issues you are a decade out of date.

Phillip good point, but it might not be the language but the API or the
library you are using!. In this case, the XML API components/library or
sub-system!  Thats been the problem with Microsoft OSes and her API support
system.   Sure,  the applications developers too are all part the problem.
But by far, its been the OS and API in Windows.

There are plenty of
languages that implement bounds checking, Java, C#, FORTRAN, ALGOL60.
If people want to write in C I can give them a couple of range checking
macros which prevent overrun conditions - starting with:

#define strncpy()  exit(-1)

Remember, there is no such thing as a bad language, just bad programmers.

Anyway, I am going to support XML but not using the Microsoft XML library.
To use it, requires you to load ATL, ACTIVEX and a whole range of other
sub-systems into your product and that is where a GOOD bit of the insecurity
evolved from - the OLE introduction into Windows.

So I don't think it is scaremongering, but rather a fact of life especially
in the Windows world.  With all due respect, if you don't know this, you
haven't been doing much Windows Development then.

With that said, each person/developer needs to makes its own decision on how
they will implement XML.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com






<Prev in Thread] Current Thread [Next in Thread>