Issues with Serialization

Issues with Serialization

You should give special attention to classes that implement the ISerializable interface if an object based on the class could contain sensitive object information. Can you see the potential vulnerability in the following code?

public void WriteObject(string file) { Password p = new Password(); Stream stream = File.Open(file, FileMode.Create); BinaryFormatter bformatter = new BinaryFormatter(); bformatter.Serialize(stream, p); stream.Close(); } [Serializable()] public class Password: ISerializable { private String sensitiveStuff; public Password() { sensitiveStuff=GetRandomKey(); } //Deserialization ctor. public Password (SerializationInfo info, StreamingContext context) { sensitiveStuff = (String)info.GetValue("sensitiveStuff", typeof(string)); } //Serialization function. public void GetObjectData (SerializationInfo info, StreamingContext context) { info.AddValue("sensitiveStuff", sensitiveStuff); } }

As you can see, the attacker has no direct access to the secret data held in sensitiveStuff, but she can force the application to write the data out to a file any file, which is always bad! and that file will contain the secret data. You can restrict the callers to this code by demanding appropriate security permissions:

[SecurityPermissionAttribute(SecurityAction.Demand, SerializationFormatter=true)]