Re: Preventing Denial of Service Attack In IPC Serialization
On Jun 3, 2:53 pm, c...@mailvault.com wrote:
What is low class IMO is criticizing other attempts when
you have not published anything. I think the Boost library
has some weaknesses, but one nice thing about it is you can
use it. Do you plan to make available what you have been
describing?
I never intended to denigrate Boost. I tried to point out that the
problem would manifest with any serialization framework, and that the
programmer should be aware of this.
I imagine a situation where Programmer B sees Programmer A using
serialization for, say, File I/O, and thinks, "Hmmm...I could do the
same thing for my Socket class as he is doing for his File class", and
proceeds to use the serialization library in a non-secure mode.
Naturally, when the problem that I described manifests, [DoS by
resource exhaustion], the serialization framework is not to be
blamed.
The fundamental issue is that, as Lourens Veen so succinctly pointed
out, when you use serialization in non-secure mode, you simply cannot
have your cake and eat it too. So if I berate Boost, then I berate
all serialization frameworks, including my own, that claim to be
useful in non-secure generalized IPC over some type of Socket class.
This is a very unfortunate, but I think it is important for
programmers to be aware of it, no matter how disappointing it is. It
is certainly very disappointing for me.
As for my work, I am on the final stretch, struggling through some
hairy maths. Should be at least a few months before things start
popping out for general consumption and criticism.
-Le Chaud Lapin-
--
[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]