Safe marshall?

Safe marshall?

[Mike Hamburg]

Is there any way to call Marshall in a type-safe way?  I need to use 
marshaling for a networking program, and I'd rather not leave Marshal 
as an arbitrary code execution vulnerability (which it is as far as I 
can tell: switching on a Marshaled value should produce a computed 
jump, which can be set by an attacker to point to an arbitrary place).  
Am I stuck writing my own marshal function?

Mike Hamburg

Re: [Caml-list] Safe marshall?

[Oliver Bandel]

On Wed, Feb 16, 2005 at 05:07:55PM -0500, Mike Hamburg wrote:
> Is there any way to call Marshall in a type-safe way?  I need to use 
> marshaling for a networking program, and I'd rather not leave Marshal 
> as an arbitrary code execution vulnerability (which it is as far as I 
> can tell: switching on a Marshaled value should produce a computed 
> jump, which can be set by an attacker to point to an arbitrary place).  
> Am I stuck writing my own marshal function?

Is it possible to say a C-function *anything* about a datastructure's structure?
Via the C-interface of OCaml?!

If so.... at least under Mac OS-X it should be possible to solve that task
with Objective-C. It can dump objects completely.

So this -  at least on this platform - would be possible then.

But IMHO this may not be possible with all Objective-C implementations.

Ciao,
  Oliver

Re: [Caml-list] Safe marshall?

[Mike Hamburg]

I don't know of any way to tell a C function typing information.  Maybe 
with GCaml, but I haven't seen a new version of that in a long time.  
Even to get such information from within Caml sounds dubious; it seems 
like a Haskell-type-class-esque solution would be needed.

Anyway, is the Objective-C serialization safe?  This sounds unlikely to 
me...

Mike

On Feb 16, 2005, at 5:55 PM, Oliver Bandel wrote:

> On Wed, Feb 16, 2005 at 05:07:55PM -0500, Mike Hamburg wrote:
>> Is there any way to call Marshall in a type-safe way?  I need to use
>> marshaling for a networking program, and I'd rather not leave Marshal
>> as an arbitrary code execution vulnerability (which it is as far as I
>> can tell: switching on a Marshaled value should produce a computed
>> jump, which can be set by an attacker to point to an arbitrary place).
>> Am I stuck writing my own marshal function?
>
> Is it possible to say a C-function *anything* about a datastructure's 
> structure?
> Via the C-interface of OCaml?!
>
> If so.... at least under Mac OS-X it should be possible to solve that 
> task
> with Objective-C. It can dump objects completely.
>
> So this -  at least on this platform - would be possible then.
>
> But IMHO this may not be possible with all Objective-C implementations.
>
> Ciao,
>   Oliver
>
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs
>

Re: [Caml-list] Safe marshall?

[Gerd Stolpmann]

Mike Hamburg said:
> Is there any way to call Marshall in a type-safe way?  I need to use
> marshaling for a networking program, and I'd rather not leave Marshal
> as an arbitrary code execution vulnerability (which it is as far as I
> can tell: switching on a Marshaled value should produce a computed
> jump, which can be set by an attacker to point to an arbitrary place).
>  Am I stuck writing my own marshal function?

Marshal is not type-safe, no chance. I see three options for you:

- If it is a closed protocol, you can sign the marshaled values

- You can use other serializers. A quite simple and fast serializer is the
  XDR encoder in my SunRPC implementation (see
  http://ocaml-programming.de/programming/rpc.html). Other options
  I know are BER (see ocamldap), XML-RPC, SOAP, and Ensemble.

- Write the serializer yourself. Maybe this is an option for you
  if you need maximum performance.

Gerd
------------------------------------------------------------
Gerd Stolpmann * Viktoriastr. 45 * 64293 Darmstadt * Germany
gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
------------------------------------------------------------

Re: [Caml-list] Safe marshall?

[Eric Stokes]

I have to agree with Gerd, if at all possible use a protocol compiler 
such as XDR, or ASN.1, even signing might not be secure if your 
attacker can get ahold of the keys you are using. I can attest to the 
robustness of Gerd's XDR implementation, I have used it in several 
projects.

On Feb 17, 2005, at 1:39 AM, Gerd Stolpmann wrote:

> Mike Hamburg said:
>> Is there any way to call Marshall in a type-safe way?  I need to use
>> marshaling for a networking program, and I'd rather not leave Marshal
>> as an arbitrary code execution vulnerability (which it is as far as I
>> can tell: switching on a Marshaled value should produce a computed
>> jump, which can be set by an attacker to point to an arbitrary place).
>>  Am I stuck writing my own marshal function?
>
> Marshal is not type-safe, no chance. I see three options for you:
>
> - If it is a closed protocol, you can sign the marshaled values
>
> - You can use other serializers. A quite simple and fast serializer is 
> the
>   XDR encoder in my SunRPC implementation (see
>   http://ocaml-programming.de/programming/rpc.html). Other options
>   I know are BER (see ocamldap), XML-RPC, SOAP, and Ensemble.
>
> - Write the serializer yourself. Maybe this is an option for you
>   if you need maximum performance.
>
> Gerd
> ------------------------------------------------------------
> Gerd Stolpmann * Viktoriastr. 45 * 64293 Darmstadt * Germany
> gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
> ------------------------------------------------------------
>
>
>
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs
>

Re: [Caml-list] Safe marshall?

[Oliver Bandel]

On Wed, Feb 16, 2005 at 07:11:03PM -0500, Mike Hamburg wrote:
> I don't know of any way to tell a C function typing information.  Maybe 
> with GCaml, but I haven't seen a new version of that in a long time.  
> Even to get such information from within Caml sounds dubious; it seems 
> like a Haskell-type-class-esque solution would be needed.
> 
> Anyway, is the Objective-C serialization safe?  This sounds unlikely to 
> me...

Safe... I think so.
But type safe?!
At least as typesafe as a C-system can be. ;-)

I will explore this in more detail in the next weeks.
I than may say something here in the list, if it matches
the needs of the discussions then (or when I may started
to write some code to marriage Objcetive-C and OCaml (for using
OCaml on Cocoa).

IMHO here are some other people on the list who has explored
ObjC in more detail. I will do that during the next few weeks.

Ciao,
   Oliver

Re: [Caml-list] Safe marshall?

[Oliver Bandel]

On Thu, Feb 17, 2005 at 03:14:30PM -0800, Eric Stokes wrote:
> I have to agree with Gerd, if at all possible use a protocol compiler 
> such as XDR, or ASN.1, even signing might not be secure if your 

Yes, XDR seems to be a good idea.


> attacker can get ahold of the keys you are using. I can attest to the 
> robustness of Gerd's XDR implementation, I have used it in several 
> projects.

Well.. is there already an XDR-binding for OCaml?

Where to find it?!

Ciao,
   Oliver

Re: [Caml-list] Safe marshall?

[Gerd Stolpmann]

Oliver Bandel said:
> On Thu, Feb 17, 2005 at 03:14:30PM -0800, Eric Stokes wrote:
>> I have to agree with Gerd, if at all possible use a protocol compiler
>> such as XDR, or ASN.1, even signing might not be secure if your
>
> Yes, XDR seems to be a good idea.
>
>
>> attacker can get ahold of the keys you are using. I can attest to the
>> robustness of Gerd's XDR implementation, I have used it in several
>> projects.
>
> Well.. is there already an XDR-binding for OCaml?

Yes, as already pointed out, it is part of my SunRPC implementation:
http://ocaml-programming.de/programming/rpc.html. It is not a binding,
however, but a pure O'Caml implementation.

It is quite easy and obvious how to use the XDR part alone without
the rest of RPC. For example, to define a record with an integer
and a string of maximum 20 characters:

open Xdr
open Rtypes
let my_type_term =
  X_struct [ "my_int", X_int;
             "my_string", (X_string (uint4_of_int 20)) ]
let my_type = validate_xdt_type_term my_type_term

Now, to encode a value:

let my_val =
  XV_struct [ "my_int", (XV_int (int4_of_int 42));
              "my_string", (XV_string "Sample") ]
let my_val_as_wire_string =
  pack_xdr_value_as_string my_val my_type []

my_val_as_wire_string can now be sent over the network. For
decoding, use:

let my_val_again =
  unpack_xdr_value my_val_as_wire_string my_type []

If the string is illegal (e.g. my_string is longer than
20 characters), exceptions will be thrown.

One can also use ocamlrpcgen to generate parts of the above
code, including automatic conversion between XDR and the
corresponding O'Caml types (e.g. an XDR struct is converted
to an O'Caml record type). For complex protocols, the overhead
of learning ocamlrpcgen is worth the effort.

One should also consider using RPC directly rather than to invent
a new networking layer.

Gerd

> Where to find it?!
>
> Ciao,
>   Oliver
>
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs


------------------------------------------------------------
Gerd Stolpmann * Viktoriastr. 45 * 64293 Darmstadt * Germany
gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
------------------------------------------------------------

Re: [Caml-list] Safe marshall?

[Gerd Stolpmann]

Gerd Stolpmann said:
>
> Oliver Bandel said:
>> On Thu, Feb 17, 2005 at 03:14:30PM -0800, Eric Stokes wrote:
>>> I have to agree with Gerd, if at all possible use a protocol compiler
>>> such as XDR, or ASN.1, even signing might not be secure if your
>>
>> Yes, XDR seems to be a good idea.
>>
>>
>>> attacker can get ahold of the keys you are using. I can attest to the
>>> robustness of Gerd's XDR implementation, I have used it in several
>>> projects.
>>
>> Well.. is there already an XDR-binding for OCaml?
>
> Yes, as already pointed out, it is part of my SunRPC implementation:
> http://ocaml-programming.de/programming/rpc.html. It is not a binding,
> however, but a pure O'Caml implementation.
>
> It is quite easy and obvious how to use the XDR part alone without the
> rest of RPC. For example, to define a record with an integer
> and a string of maximum 20 characters:
>
> open Xdr
> open Rtypes
> let my_type_term   X_struct [ "my_int", X_int;

Oops, obviously somebody has stolen my "=". It is of course
let my_type_term = X_struct (etc.).

>             "my_string", (X_string (uint4_of_int 20)) ]
> let my_type = validate_xdt_type_term my_type_term
>
> Now, to encode a value:
>
> let my_val   XV_struct [ "my_int", (XV_int (int4_of_int 42));
>              "my_string", (XV_string "Sample") ]
> let my_val_as_wire_string   pack_xdr_value_as_string my_val my_type []
>
> my_val_as_wire_string can now be sent over the network. For
> decoding, use:
>
> let my_val_again   unpack_xdr_value my_val_as_wire_string my_type []
>
> If the string is illegal (e.g. my_string is longer than
> 20 characters), exceptions will be thrown.
>
> One can also use ocamlrpcgen to generate parts of the above
> code, including automatic conversion between XDR and the
> corresponding O'Caml types (e.g. an XDR struct is converted
> to an O'Caml record type). For complex protocols, the overhead
> of learning ocamlrpcgen is worth the effort.
>
> One should also consider using RPC directly rather than to invent
> a new networking layer.
>
> Gerd
>
>> Where to find it?!
>>
>> Ciao,
>>   Oliver
>>
>> _______________________________________________
>> Caml-list mailing list. Subscription management:
>> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
>> Archives: http://caml.inria.fr
>> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
>> Bug reports: http://caml.inria.fr/bin/caml-bugs
>
>
> ------------------------------------------------------------
> Gerd Stolpmann * Viktoriastr. 45 * 64293 Darmstadt * Germany
> gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
> ------------------------------------------------------------
>
>
>
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs


------------------------------------------------------------
Gerd Stolpmann * Viktoriastr. 45 * 64293 Darmstadt * Germany
gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
------------------------------------------------------------