From: owner-atnp_ccb_chair@cena.fr on behalf of Tony Kerr
[tony.kerr@cival.co.uk]
Sent: 11 November 2002 10:30
To: atnp_ccb_sme4@tls.cena.fr
Cc: atnp_ccb_chair@tls.cena.fr
Subject: PDR M2110001 - ULCS - D-ABORT Security bypass - ACCEPTED

Title: 			SV4 - D-ABORT Security Bypass

PDR Reference:          	M2110001

Originator Reference:

SARPs Document Reference:   	Sub-Volume IV 4.3.3.3.7.2.1, 4.3.3.4.5.2.3

CAMAL Document Reference:	-

P/OICS Document Reference	-

Status:                     	ACCEPTED

Impact:					B

PDR Revision Date:              	11 Nov 2002 (ACCEPTED)
						08 Nov 2002 (SUBMITTED)

Submitting State/Organization:    	CIVAL Consulting Ltd

Submitting Author Name:          	A J Kerr

Submitting Author E-mail Address:  	tony.kerr@cival.co.uk

Submitting Author Supplemental Contact Information: Tel: +44 (0)1252 724386

SARPs Date:                      	Doc 9705 Ed 3 (Jul 02)

P/OICS Date:				-

SARPs Language:                  	English

Summary of Defect:

When the DS-User issues D-ABORT request on a secured dialogue, and the
dialogue is not in DATA TRANSFER state (STA2), then according to
4.3.3.3.7.2.1, an A-ABORT request is issued.  ACSE will then issue P-U-ABORT
req (ABRT), which the CF passes to the Presentation service.  The Security
ASO is never activated, so any User Data on the D-ABORT is not
authenticated.  At the receiving side, the P-U-ABORT ind (ABRT) is passed to
ACSE, which issues A-ABORT ind.  According to 4.3.3.4.5.2.3, if the dialogue
was not in STA2, then the unauthenticated User Data is passed to the DS-User
in A-ABORT indication.

It seems that a potential attacker has a possible means of transferring
unauthenticated data to an aircraft. It would seem preferable to either:
a) always authenticate any User Data, or
b) in the Abort case, as delivery is not guaranteed and the dialogue is
aborting anyway, discard the User Data at the sender if not in STA2.
Solution a) would add considerably to the complexity of the CF for very
little benefit, so solution b) is proposed.


Assigned SME:                    	Sub-Volume IV SME


Proposed SARPs amendment:

1/ In 4.3.3.3.7.2.1, Table 4.3-20, REPLACE:
D-ABORT User Data parameter, if present and not empty.
WITH:
User Data as provided in the D-ABORT Request if present and the dialogue
does not support security; omitted otherwise.

2/ In 4.3.3.4.5.2.3, DELETE bullets a) through d) and REPLACE with:
a) Issue a D-ABORT Indication primitive to the DS-User, with the Originator
parameter set to the abstract value "Provider" and the User Data parameter
empty.
b) Enter the NULL state.


Impact on interoperability:

None.

PDR Validation Status:		Paper walkthrough.

SME Recommendation to CCB: 	ACCEPT the PDR

CCB Decision: