[Caml-list] Does Marshal handle malicious data?

[Caml-list] Does Marshal handle malicious data?

[Charles Martin]

Will the standard Marshal library correctly generate an exception for malicious data?  Or is it possible that it will cause a core dump, read past end of string, etc?


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Does Marshal handle malicious data?

[Brian Rogoff]

On Tue, 5 Mar 2002, Charles Martin wrote:
> Will the standard Marshal library correctly generate an exception for
> malicious data?  Or is it possible that it will cause a core dump, read
> past end of string, etc?

You can get a core dump from improper use of marshalling without
"malicious" use. I've had it happen by simply changing a data format and
using the wrong version of the program read it back in.

You can increase the safety by various tricks in your reader, but I don't
think there are any simple idiot proof solutions. I'm a pretty clever
idiot.

-- Brian
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Does Marshal handle malicious data?

[Xavier Leroy]

> Will the standard Marshal library correctly generate an exception
> for malicious data?  Or is it possible that it will cause a core
> dump, read past end of string, etc?

No, unmarshaling is not hardened against bad data (except checking the
initial magic number).  So, corrupted data can cause all the bad
things that you mentioned (core dump, etc).

Gracefully recovering from bad data could be implemented, but at
significant run-time cost.  An alternative is to use message
authentication codes and the like to guarantee the integrity of the
data.

- Xavier Leroy
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Does Marshal handle malicious data?

[Brian Rogoff]

On Wed, 6 Mar 2002, Xavier Leroy wrote:
> Gracefully recovering from bad data could be implemented, but at
> significant run-time cost.  An alternative is to use message
> authentication codes and the like to guarantee the integrity of the
> data.

I've thought that it may be useful to have a Sys.version or similar
to use in such authentication codes, since I do exactly what you
mention and ensuring integrity across compiler versions is an issue.
Opinions?

-- Brian
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Does Marshal handle malicious data?

[Xavier Leroy]

> I've thought that it may be useful to have a Sys.version or similar
> to use in such authentication codes, since I do exactly what you
> mention and ensuring integrity across compiler versions is an issue.
> Opinions?

Damien Doligez heard you :-)  The working sources have Sys.ocaml_version,
which is a string giving the version number and additional info.

- Xavier Leroy
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners