[Twisted-Python] Is AMP secure enough for the internet?

Eric P. Mangold teratorn at gmail.com
Sun Feb 28 23:09:30 EST 2010

On Mon, 2010-03-01 at 02:33 +0200, Tristan Seligmann wrote:
> On Sat, Feb 27, 2010 at 11:59 PM, Attila Nagy <bra at fsn.hu> wrote:
> > What would I like to do:
> > 1. authenticate and authorize connecting clients with their SSL certificates
> > 2. securely transfer arbitrary (binary and json) data from and to the
> > clients (both the server and client would be twisted)
> If you're using SSL, then points 1 and 2 are the responsibility of
> SSL, not AMP, and you should be fine.
> > 3. protect the server from malicious clients
> I can't really comment on this, as I haven't studied the AMP
> implementation much; I think there are some built-in limits which will
> protect against certain kinds of resource DoS, but hopefully somebody
> else can comment in more detail.

AMP "keys" are limited to 256 bytes and "values" are limited to 64k. So
that will prevent your program from handling a malformed AMP packet that
tries to exceed those limits....

If the AMP parser detects a parsing problem it will drop the connection.

One of the things you will need to implement yourself is preventing an
otherwise legit client from flooding your server with legitimate
requests... this is application-specific, and Twisted can't implement a
generalized protection mechanize here.

There should not be any way for a client to "access" any parts of your
program apart from your pre-defined AMP command-handlers, and anything
else for which you "give" access.

Everything in AMP is length-prefixed, so this precludes any
"quote-escaping" type vulnerabilities.

There shouldn't be any issues with any of the built-in data types that
AMP knows how to handle... if the data doesn't fall within acceptable
parameters Python will thrown an Exception, and I *imagine* that also
results in a connection tear-down, but it's been a while since I've
studied the code in depth.

Good luck, and let us know when you're AMP-DOSing test-suite is
available ;)


More information about the Twisted-Python mailing list