Is this Library save to accept untrusted data?

[CCludts]

Hi,

I'd like use this library to accept messages from untrusted (Unity) clients. The clients might try and tinker with the binaries to (DDOS) attack our servers. (Server also in Unity).

Is there no way a attacker could send a message that:

take unproportial cpu to decode take unproportial memory to decode instantiate a random C# class / call unwanted methods.

[yfakariya]

First, I am very happy to start discuss about security with community!

Here is my answer for your question:

• As far as I know, there are no proportional resource usage, but it sounds good idea to introduce quota for array length and map entries count.
• You can instantiate a random C# class / call unwanted methods (via their constructors) only when you use [MessagePackRuntimeType] related features. Note that there is a safe guard that is VerifierMethodName of [MessagePackRuntimeType] attributes family, which can filter out unexepcted types to be deserialized. As you imagine, it is best to avoid use [MessagePackRuntimeType] attributes family for security.

Any idea?

[CCludts]

Resource quotas sound look a good idea (might want to include quotas for strings also, unless you dont pre-allocate). I have very little knowledge on the topic, so I cant be of much assistance with that.

As for the runtime de-serialization, this paper on JSON-deserializer vulnerabilities was eye-opening to me. Maybe it can be of help should you decide to implement more safeguards. https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf

[yfakariya]

@PencilBow Thank you! I'm reading the paper.

[CCludts]

@yfakariya In case you're still interested, I found out that protobuf's CSharp implementation has some nice safeguards for avoiding arbitrary allocations. Hope it can be of help. https://github.com/google/protobuf/blob/master/csharp/src/Google.Protobuf/CodedInputStream.cs#L1139

[yfakariya]

@PencilBow Thank you!