Hi guys! I just realized that VIFF is not entirely secure -- in more ways than I thought previously :-)
I'm not talking about the result of the calculation (where we use plain TCP when we ought to use SSL for distributing shares) but about the use of the Python marshal module in VIFF. The documentation can be found here: http://docs.python.org/lib/module-marshal.html and it says: Warning: The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. We use the marshal module in the ShareExchanger class to, well, marshal data in shares before they are exchanged. Since this is done over plain insecure TCP connections, a malicious guy could insert data in our TCP stream which will make the marshal module do strange things. I found a recent thread on comp.lang.python where they discuss the issue and this post where it is shown that using marshal.loads on a malicious string can crash the Python interpreter: http://groups.google.com/group/comp.lang.python/msg/358335819c0e170b It appears that marshal is being updated along the way, for trying this out on a Python version 2.4.4 on DAIMI gives: Python 2.4.4 (#1, Oct 23 2006, 13:58:00) [GCC 4.1.1 20061011 (Red Hat 4.1.1-30)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import marshal >>> marshal.loads('RKp,U\xf7`\xef\xe77\xc1\xea\xd8\xec\xbe\\') Traceback (most recent call last): File "<stdin>", line 1, in ? ValueError: bad marshal data I don't know if the marshal module can be tricked into executing code, but this example at least shows that denial of service attacks are possible (even if Python don't crash, we currently do not handle the ValueError exception raised). -- Martin Geisler _______________________________________________ viff-devel mailing list (http://viff.dk/) [email protected] http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk
