undefined | Better HN

0 pointsbombela2mo ago0 comments

Ah, I see the confusion. rkyv_dyn doesn't serialize code. Rust is compiled to machine code. It would be quite a feat to accomplish.

I was a bit confused when you compared it to Python pickle and assumed you were talking about general input validation somehow.

I agree that pickle and similar are profoundly surprising and error prone. I struggle to find any reasonable reason one would want that.

As for the man in middle attack, I meant that if somebody intercepts the serialized form, they can mutate it. And without a cryptographic signature, you wouldn't know.

0 comments

amluto2mo ago

> rkyv_dyn doesn't serialize code. Rust is compiled to machine code.

Java is compiled to bytecode, and Obj-C is compiled to machine code. Yet both Android and iOS have had repeated severe vulnerabilities related to deserializing an object that contains a subobject of an unexpected type that pulls code along with it. It seems to be that rkyv_dyn has exactly the same underlying issue.

Sure, Rust is “safe”, and if all the unsafe code is sufficiently careful, it ought to be impossible to get the type of corruption that results in direct code execution, memory writes, etc. But systems can be fully compromised by semantic errors, too.

If I’m designing a system that takes untrusted input and produces an object of type Thing, I want Thing to be pure data. Once you start allowing an open set of methods on Thing or its subobjects, you have lost control of your own control flow. So doing:

    thing.a.func()

may call a function that wasn’t even written at the time you wrote that line of code or even a function that is only present in some but not all programs that execute that line of code.

Exploiting this is considerably harder than exploiting pickle, but considerably harder is not the same as impossible.

bombelaOP2mo ago

You know very well what I meant by "compile to machine code". But you decided to interpret it in a combative way. Even though you seem very knowledgeable, this makes me want to stop discussing with you.

Ultimately you should read the code of rkyv_dyn to understand what it does instead of making random claims.

It will be faster for you to read the code than for me to attempt explaining how it works. Especially since you will most likely choose the least charitable interpretation of everything I say. There is very little code, it won't take long.

amluto2mo ago

> You know very well what I meant by "compile to machine code".

I really don't. I think you mean that Rust compiles to machine code and neither loads executable code at runtime nor contains a JIT, so you can't possibly open a file and deserialize it and end up with code or particularly code-like things from that file being executed in your process.

My point is that there's an open-ended global registry of objects that implement a given trait, and it's possible (I think) to deserialize and get an unexpected type out, and calling its methods may run code that was not expected by whoever wrote the calling code. And the set of impls and thus the set of actual methods may expand by the mere fact of linking something else into the project.

This probably won't blow up quite as badly as NSCoding does in ObjC because Rust is (except when unsafe is used) memory-safe, so use-after-free just from deserializing is pretty unlikely. But I would still never use a mechanism like this if there was any chance of it consuming potentially malicious input.

j / k navigate · click thread line to collapse

0 comments

amluto2mo ago

> rkyv_dyn doesn't serialize code. Rust is compiled to machine code.

    thing.a.func()

may call a function that wasn’t even written at the time you wrote that line of code or even a function that is only present in some but not all programs that execute that line of code.

Exploiting this is considerably harder than exploiting pickle, but considerably harder is not the same as impossible.

bombelaOP2mo ago

Ultimately you should read the code of rkyv_dyn to understand what it does instead of making random claims.

amluto2mo ago

> You know very well what I meant by "compile to machine code".

j / k navigate · click thread line to collapse