search

mozilla-services / go-cose

go library for CBOR Object Signing and Encryption (COSE)
Mozilla Public License 2.0
40 stars 18 forks source link

CBOR library exhausts memory in 1 decode attempt of < 10 bytes of malformed CBOR data #62

Closed x448 closed 4 years ago

x448 commented 4 years ago

@g-k 🔥 this CBOR security issue is already public knowledge and affects a library used by go-cose.

October 2013 - RFC 7049 (CBOR) is approved by IETF as an Internet Standard and RFC 7049 Section 8 describes security considerations such as malicious CBOR.

September 2019 - oasislabs finds tiny malformed CBOR data causes fatal out of memory error when decoded with latest releases of ugorji/go (CBOR library used by go-cose) and switched to fxamacker/cbor in early October 2019.

February 2020 - smartcontractkit/chainlink has a security issue with ugorji/go that is closed by switching to fxamacker/cbor. I don't have login access to view their security issue.

March 2020 - @fxamacker finds tiny malformed CBOR data that causes fatal out of memory error when decoded with any release of ugorji/go (1.1.0 - 1.1.7 as well as last commit 42bc974).

alt text

fxamacker/cbor comparisons to ugorji/go.

Click to expand:

CBOR Program Size Comparison

__fxamacker/cbor__ can produce smaller programs. ![alt text](https://github.com/fxamacker/images/raw/master/cbor/v2.2.0/cbor_size_comparison.png "CBOR library and program size comparison chart")

CBOR Speed Comparison

__fxamacker/cbor__ can be faster for CBOR data such as CBOR Web Tokens. ![alt text](https://github.com/fxamacker/images/raw/master/cbor/v2.2.0/cbor_speed_comparison.png "CBOR library speed comparison chart")

CBOR Memory Comparison

__fxamacker/cbor__ can use less memory for CBOR data such as CBOR Web Tokens. ![alt text](https://github.com/fxamacker/images/raw/master/cbor/v2.2.0/cbor_memory_table.svg?sanitize=1 "CBOR Memory Comparison")

Benchmarks used example data from RFC 8392 Appendix A.1 and default options for CBOR libraries.

x448 commented 4 years ago

The security comparison table was updated today to show the entire fatal error message. It was previously showing the error text from the Sep 2019 data instead of Mar 2020 data.

g-k commented 4 years ago

Hey @x448, thanks for bringing this up! Seems like something that GH should've published an advisory for.

I'll try to get to this by the end of April. I'm open to PRs swapping in the new CBOR encoder/decoder in the meantime.

:+1: keyasint and toarray look like they'll help simplify things and getting something properly fuzzed that doesn't use unsafe would be big wins too.

x448 commented 4 years ago

@g-k great! I think @fxamacker would be interested in opening a PR to handle the CBOR aspect.

I have an idea for another PR, I'll open a ticket.

fxamacker commented 4 years ago

Hi @g-k, I would love to open a PR and contribute to go-cose!

I can begin work on go-cose right after wrapping up a task due Monday.

g-k commented 4 years ago

Awesome! That'd be great.

On Thu, Apr 9, 2020 at 7:31 PM Faye Amacker notifications@github.com wrote:

Hi @g-k https://github.com/g-k, I would love to open a PR and contribute to go-cose!

I can begin work on go-cose right after wrapping up a task due Monday.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mozilla-services/go-cose/issues/62#issuecomment-611801587, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXKLIAECWFQDU6E57IFLLRLZLDPANCNFSM4MDR3RLQ .

fxamacker commented 4 years ago

I've been reading COSE RFC 8152 (the parts used by go-cose) and so far so good.

fxamacker commented 4 years ago

@g-k I've been working on go-cose and will try to open a PR soon.