is there a safe marshaler?

Mon Feb 14 19:46:43 EST 2005

Irmen de Jong <irmen.NOSPAM at xs4all.nl> writes:
> > Note you should also put sequence numbers in the messages, to stop
> > the attacker from fooling you by selectively deleting or replaying
> > messages.
> 
> Thanks for the tip. I'll think about this.

Hmm, you also want a random blob in each packet (including the session
start) included in the authentication of the next packet, so the
attacker can't cut and paste messages from old sessions into the
current ones.  You know, by the time you're through designing this you
may be better off just using SSL and getting it over with.  It's very
easy to make mistakes designing these types of protocols.  There are
some reasonable examples in "Applied Cryptography", but maybe you
don't want to deal with this stuff.

> Well, my experience with RMI is very limited (and from a few years ago)
> but I remember that you are required to set a security manager on your
> RMI objects. I always used Java's default rmi security manager but I
> honestly don't know what it actually does :-D

Thanks, I should try to find out more about this.  I'm about to be
doing some stuff with an existing RMI app and I better make sure it's
not already vulnerable.

> I label things like SOAP and XML-RPC much different than RMI or Pyro,
> because they (SOAP) are much more "distant" from the actual
> programming language and environment beneath them. I don't know if
> this is good thinking or not but the fact that RMI and Pyro expose
> language features directly, and SOAP not, makes that I reason about them
> differently.

Hmm, I sort of understand this, but not completely.  Does DCOM or .NET
expose language features directly?

> Then again, Pyro allows you to use two forms of XML serialization
> on the wire (instead of pickle), which may or may not move it much closer
> to SOAP and the likes. But there are other reasons for not wanting
> a Pyro server exposed on the internet. Such as the lack of a good
> security analisys of Pyro. Perhaps it suffers from similar holes
> as XMLRPC until recently...

I've been meaning to look at Pyro and will certainly let you know if I
spot any problems, but of course there might be some that I don't find.

> Furthermore there are practical issues such as having to
> open a buch of new ports in your firewall. In my experience
> this is very hard to get done, sadly, in contrast to just
> exposing a "web-service" (in whatever form) on port 80 HTTP.

Yes, though RMI requires the same.