Browse thread
Safe marshall?
[
Home
]
[ Index:
by date
|
by threads
]
[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: | 2005-02-17 (09:39) |
From: | Gerd Stolpmann <info@g...> |
Subject: | Re: [Caml-list] Safe marshall? |
Mike Hamburg said: > Is there any way to call Marshall in a type-safe way? I need to use > marshaling for a networking program, and I'd rather not leave Marshal > as an arbitrary code execution vulnerability (which it is as far as I > can tell: switching on a Marshaled value should produce a computed > jump, which can be set by an attacker to point to an arbitrary place). > Am I stuck writing my own marshal function? Marshal is not type-safe, no chance. I see three options for you: - If it is a closed protocol, you can sign the marshaled values - You can use other serializers. A quite simple and fast serializer is the XDR encoder in my SunRPC implementation (see http://ocaml-programming.de/programming/rpc.html). Other options I know are BER (see ocamldap), XML-RPC, SOAP, and Ensemble. - Write the serializer yourself. Maybe this is an option for you if you need maximum performance. Gerd ------------------------------------------------------------ Gerd Stolpmann * Viktoriastr. 45 * 64293 Darmstadt * Germany gerd@gerd-stolpmann.de http://www.gerd-stolpmann.de ------------------------------------------------------------