Re: Preventing Denial of Service Attack In IPC Serialization
On Jun 7, 11:15 pm, jlind...@hotmail.com wrote:
Does the receiver ultimately accept this 500MB, even use the sub-1Mb
method?
Sure. The higher-level chunking protocol would implement integrity/
authentication mechanisms to put an appropriate limit on DOS
vulnerabilities. I.e. as the substrings come in, we apply some
application specific logic to determine whether we consider the
situation reasonable or not. That logic has nothing to do with the
serialization of the substrings.
Yes it does.
Let us get specific. How would you define serialization code for a
String class? If you prefer a different class, choose whatever. I
have 102 classes I just counted in my project for which I have defined
serialization code, so there is a reasonable chance that if you choose
something common, there were be overlap.
Also, the words "integrity" and "authentication" look suspect to me.
I was clear, in at least 3 of my posts, including the original posts,
that the very essence of my thesis is only applicable when there is no
security available. I was quite clear in stating that, if security is
allowed, then there is no issue.
As I've repeated many times now, the whole issue here has nothing to
do with your serialization code. All your serialization code has to do
is make sure it doesn't blindly allocate memory of arbitrary size
(which it should obviously never do anyway), and you, as the
serialization framework user, just have to make sure you separate
deserialization from network reception, by applying a packet concept.
Still not seeing what you see. How about some code.
-Le Chaud Lapin-
--
[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]