Deserializing Data from Untrusted Sources

Previous page
Table of content
Next page

Deserializing Data from Untrusted Sources

Don't deserialize data from untrusted sources. This is a .NET-specific version of the All input is evil until proven otherwise mantra outlined in many parts of this book. The .NET common language runtime offers classes in the System.Runtime.Serialization namespace to package and unpackage objects by using a process called serializing. (Some people refer to this process as freeze-drying.) However, your application should never deserialize any data from an untrusted source, because the reconstituted object will execute on the local machine with the same trust as the application.

To pull off an attack like this also requires that the code receiving the data have the SerializationFormatter permission, which is a highly privileged permission that should be applied to fully trusted code only.

NOTE
The security problem caused by deserializing data from untrusted sources is not unique to .NET. The issue exists in other technologies. For example, MFC allows users to serialize and deserialize an object by using CArchive::Operator>> and CArchive::Operator<<. That said, all code in MFC is unmanaged and hence, by definition, run as fully trusted code.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Strategies for Information Technology Governance
WebLogic: The Definitive Guide
Building Web Applications with UML (2nd Edition)
Developing Tablet PC Applications (Charles River Media Programming)
Visual C# 2005 How to Program (2nd Edition)
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy