Version française
Home     About     Download     Resources     Contact us    

This site is updated infrequently. For up-to-date information, please visit the new OCaml website at ocaml.org.

Browse thread
Safe marshall?
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: 2005-02-17 (09:39)
From: Gerd Stolpmann <info@g...>
Subject: Re: [Caml-list] Safe marshall? 
Mike Hamburg said:
> Is there any way to call Marshall in a type-safe way?  I need to use
> marshaling for a networking program, and I'd rather not leave Marshal
> as an arbitrary code execution vulnerability (which it is as far as I
> can tell: switching on a Marshaled value should produce a computed
> jump, which can be set by an attacker to point to an arbitrary place).
>  Am I stuck writing my own marshal function?

Marshal is not type-safe, no chance. I see three options for you:

- If it is a closed protocol, you can sign the marshaled values

- You can use other serializers. A quite simple and fast serializer is the
  XDR encoder in my SunRPC implementation (see
  http://ocaml-programming.de/programming/rpc.html). Other options
  I know are BER (see ocamldap), XML-RPC, SOAP, and Ensemble.

- Write the serializer yourself. Maybe this is an option for you
  if you need maximum performance.

Gerd
------------------------------------------------------------
Gerd Stolpmann * Viktoriastr. 45 * 64293 Darmstadt * Germany
gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
------------------------------------------------------------