Deserializing Data from Untrusted Sources
Don t deserialize data from untrusted sources. This is a .NET-specific version of the All input is evil until proven otherwise mantra outlined in many parts of this book. The .NET common language runtime offers classes in the System.Runtime.Serialization namespace to package and unpackage objects by using a process called serializing. (Some people refer to this process as freeze-drying!) However, your application should never deserialize any data from an untrusted source, because the reconstituted object will execute on the local machine as fully trusted code.
To pull off an attack like this also requires that the code receiving the data have the SerializationFormatter permission, which is a highly privileged permission that should be applied to fully trusted code only.
The security problem caused by deserializing data from untrusted sources is not unique to .NET. The issue exists in other technologies. For example, MFC allows users to serialize and deserialize an object by using CArchive::Operator>> and CArchive::Operator<<. That said, all code in MFC is unmanaged and hence, by definition, run as fully trusted code. | |