[cl-store-devel] On the security of cl-store

[Sean Ross]

On 7 Mar 2010, at 19:20, Alex Mizrahi wrote:

> SR> To my knowledge the only other vulnerabilities would revolve
> SR> around uses of eval, read or read-from-string which cl-store
> 
> If denial-of-service (e.g. crashing lisp server) qualifies as a successful 
> attack, spectrum of issues to deal with is much larger. Perhaps simplies way 
> to DoS the server is force it to use large quantities of memory, so it would 
> be thrashing and eventually will collapse. As I understand, with cl-store 
> binary format output is proportional to serialized input and can't be much 
> large. So, to start with, one can simply reject messages which are too long.
> 
> More sophisticate strategy is to make server leaking memory. For example, 
> force it to intern new symbols in each packet, then packets will be small, 
> but with each packet server will leak some memory. Obvious fix to this 
> problem is to forbid interning new symbol.


Quite right. As always, accepting input from untrusted sources is always going to open yourself
to a number of potential security issues. The most cl-store will do is try not to
execute arbitrary code. DOS attacks are part and parcel of accepting requests
from all and sundry and is only recommended if absolutely necessary.

> 
> Finally, one can DoS server by putting it into an infinite loop. This can be 
> achieved by sending a cyclical data structure where server code expects 
> simple one. Then iteration or recursive traversal will either hang in 
> indefinite loop or cause a stack overflow. 

This shouldn't be possible in cl-store as all cyclic data structures are detected
and serialized/deserialized correctly (custom serialization/deserializations notwithstanding)

Regards,
 Sean.