is there a safe marshaler?

Mon Feb 14 18:36:32 EST 2005

Irmen de Jong <irmen.NOSPAM at xs4all.nl> writes:
> > Well, ok, if you trust then other end then I think it's enough to just
> > authenticate all the pickles (say using hmac.py) without needing
> > something as heavyweight as SSL.
> 
> An interesting idea that hadn't crossed my mind yet.  Pyro *does*
> already have connection authentication that uses md5 (and hmac since
> 3.5beta) with a shared secret, but after that, the communication is
> done in plaintext so to speak.

Yes, that's what I meant, using hmac to authenticate using a shared secret,
sending the rest in the clear.  Note you should also put sequence numbers
in the messages, to stop the attacker from fooling you by selectively
deleting or replaying messages.
> 
> You should not want to expose a Pyro service to the internet because
> Python doesn't have Java's security model and sandboxing, that are
> used with RMI. Pyro has a few features that are very powerful
> but also require the use of intrinsic insecure Python code (namely,
> pickle, and marshal).

Can you say some more about this?  Does RMI really rely on sandboxes,
if you don't send code around, but just expose operations on server
side objects?

I don't think marshal is inherently insecure, since the unmarshaller
doesn't itself execute any marshalled code.  It apparently has some
bugs that can confuse it if you send it a malformed marshalled string,
but those can be fixed.  Pickle is inherently insecure because of how
it calls class constructors.

> Just look at the recent security advisory about the XMLRPC server
> that comes with Python.... it's much more primitive than Pyro is,
> but even that one was insecure.

I haven't looked at that bug carefully yet but yes, anything exposed
to the internet has to be done very carefully, and XMLRPC missed something.

> I wouldn't put a Java RMI server or xyz CORBA server or whatever
> kind of unrestricted API open on the internet anyway.
> Am I rational or paranoid?

I haven't used Java enough to advise you on this, but I thought they
were supposed to be ok to expose to the internet.  Certainly the whole
idea of .NET is to let you securely provide RPC services (excuse me
for a moment while I try to stop laughing for mentioning security and
Microsoft in the same sentence).  And lots of people use things like
SOAP for that.