Using Sanselan in Shindig (fellow incubator)

[Louis Ryan <lr...@google.com>]

Hi

Ive been investigating using Sanselan as part of an image rewriting feature
we are including in the Shindig project (
http://incubator.apache.org/shindig/). The goal is to rewrite images fetched
through an HTTP proxy to reduce their size either by switching encoding e.g.
BMP -> PNG or by stripping metadata (EXIF, comments ...) Im primarily using
Sanselan to parse the image metadata to avoid exposing the code to the many
security vulnerabilities that exist in ImageIO on various VMs such as

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789

This works very well as Sanselan is very strict in how it parses certain
datastructures such as ICC profiles where specially crafted images could
cause buffer overrun attacks in the native libraries in ImageIO. I have a
set of images that reproduce some of the common attacks against ImageIO that
I'm testing with and Sanselan does very well against them. I currently have
one image that can cause an OutOfMemory error by misrepresenting the number
of ICC tags when parsing the ICC profile (attached). Having a VM die from
OutOfMemory is better than a security vulnerability.

I was wondering whether you consider robustness against malicious image
parsing something you would like your code to handle (Id be happy to provide
test cases for what I have). As a more amorphous topic there is a real
shortage of secure image processing available in Java, most libraries are
designed for speed and not for robustness or defensiveness, building those
facilities in your project would be a boon to mankind and likely to attract
a great number of interested folks, myself included, to contribute actively.

Best

Louis Ryan

Re: Using Sanselan in Shindig (fellow incubator)

[Jeremias Maerki <de...@jeremias-maerki.ch>]

Just my personal opinion as a mentor for Sanselan, but since Sanselan
will never be able to win the performance contest in image handling, I
can see the benefit of positioning Sanselan as a specialist for secure
image processing (in addition to the current focus points). ImageIO is
probably good enough for most so Sanselan has a somewhat difficult stand
to position itself.

BTW, the attachment you mentioned is missing. But it's probably best to
open a new issue in JIRA and attach it there.

On 22.01.2009 23:38:43 Louis Ryan wrote:
> Hi
> 
> Ive been investigating using Sanselan as part of an image rewriting feature
> we are including in the Shindig project (
> http://incubator.apache.org/shindig/). The goal is to rewrite images fetched
> through an HTTP proxy to reduce their size either by switching encoding e.g.
> BMP -> PNG or by stripping metadata (EXIF, comments ...) Im primarily using
> Sanselan to parse the image metadata to avoid exposing the code to the many
> security vulnerabilities that exist in ImageIO on various VMs such as
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0243
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789
> 
> This works very well as Sanselan is very strict in how it parses certain
> datastructures such as ICC profiles where specially crafted images could
> cause buffer overrun attacks in the native libraries in ImageIO. I have a
> set of images that reproduce some of the common attacks against ImageIO that
> I'm testing with and Sanselan does very well against them. I currently have
> one image that can cause an OutOfMemory error by misrepresenting the number
> of ICC tags when parsing the ICC profile (attached). Having a VM die from
> OutOfMemory is better than a security vulnerability.
> 
> I was wondering whether you consider robustness against malicious image
> parsing something you would like your code to handle (Id be happy to provide
> test cases for what I have). As a more amorphous topic there is a real
> shortage of secure image processing available in Java, most libraries are
> designed for speed and not for robustness or defensiveness, building those
> facilities in your project would be a boon to mankind and likely to attract
> a great number of interested folks, myself included, to contribute actively.
> 
> Best
> 
> Louis Ryan




Jeremias Maerki