English version
Accueil     À propos     Téléchargement     Ressources     Contactez-nous    

Ce site est rarement mis à jour. Pour les informations les plus récentes, rendez-vous sur le nouveau site OCaml à l'adresse ocaml.org.

Browse thread
Safe marshall?
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: 2005-02-17 (23:14)
From: Eric Stokes <eric.stokes@c...>
Subject: Re: [Caml-list] Safe marshall?
I have to agree with Gerd, if at all possible use a protocol compiler 
such as XDR, or ASN.1, even signing might not be secure if your 
attacker can get ahold of the keys you are using. I can attest to the 
robustness of Gerd's XDR implementation, I have used it in several 

On Feb 17, 2005, at 1:39 AM, Gerd Stolpmann wrote:

> Mike Hamburg said:
>> Is there any way to call Marshall in a type-safe way?  I need to use
>> marshaling for a networking program, and I'd rather not leave Marshal
>> as an arbitrary code execution vulnerability (which it is as far as I
>> can tell: switching on a Marshaled value should produce a computed
>> jump, which can be set by an attacker to point to an arbitrary place).
>>  Am I stuck writing my own marshal function?
> Marshal is not type-safe, no chance. I see three options for you:
> - If it is a closed protocol, you can sign the marshaled values
> - You can use other serializers. A quite simple and fast serializer is 
> the
>   XDR encoder in my SunRPC implementation (see
>   http://ocaml-programming.de/programming/rpc.html). Other options
>   I know are BER (see ocamldap), XML-RPC, SOAP, and Ensemble.
> - Write the serializer yourself. Maybe this is an option for you
>   if you need maximum performance.
> Gerd
> ------------------------------------------------------------
> Gerd Stolpmann * Viktoriastr. 45 * 64293 Darmstadt * Germany
> gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
> ------------------------------------------------------------
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs