Secure Serialization in .NET Remoting.
Area Other
Affected APIs System.Runtime.Serialization.ISerializable
System.Runtime.Remoting.ObjRef
System.Runtime.Remoting.Lifetime.ILease
System.Runtime.Remoting.Lifetime.ISponsor
System.Runtime.Remoting.Contexts.IContributeEnvoySink
System.Runtime.Remoting.Channels.SoapServerFormatterSinkProvider
System.Runtime.Remoting.Channels.BinaryServerFormatterSinkProvider
Description Secure Serialization in .NET Remoting.
Any remoting system that relies on run-time type validation must deserialize a remote stream to begin using it, and malicious clients could use the moment of serialization or deserialization to the detriment of your application. To protect against such clients, .NET remoting provides two levels of automatic deserialization, Low and Full. Low is the default value, and enables most basic remoting functionality, such as automatic deserialization of remoting infrastructure types, and a limited set of system-implemented types. Full supports automatic deserialization of all types that remoting supports in all situations. See below for a complete description of the settings.
Do not assume that controlling deserialization is the only security your application needs. In distributed applications even a high degree of control over serialization will not prevent malicious clients from intercepting the communication and using that in some way. Therefore, although the Low deserialization level will protect the remoting server from being directly exploited, you must still use authentication and encryption to completely protect your investment in your data. For details, see Security.
The following lists describe the .NET remoting deserialization levels.
• Low (default level)
The default serialization level in .NET remoting supports deserialization of the following types:
• Remoting infrastructure objects. These are the types needed to make remoting work at a basic level.
• Primitive types, and reference and value types that are composed of primitive types.
• Reference and value types that are marked with the SerializableAttribute attribute but do not implement the ISerializable interface.
• System-provided types that implement ISerializable with a reduced permission set.
• Custom types that implement ISerializable.
• Types that implement the ILease interface.
• ObjRef objects used for activation (to support client-activated objects).
• Full
The Full deserialization level in .NET remoting supports the following types:
• ObjRef objects passed as parameters.
• Objects that implement the ISponsor interface.
• Objects that are inserted between the proxy and client pipeline by the IContributeEnvoySink interface.
If your application needs to use remoting features that are only available at the Full serialization level, you must provide the type of authentication and the level of encryption necessary to protect any resources that might be at risk by using these advanced features in remote scenarios.
Workaround You can set the serialization level programmatically or by using an application configuration file.
Setting the Serialization Level Programmatically
To set the serialization level programmatically, pass the following property to the SoapServerFormatterSinkProvider or BinaryServerFormatterSinkProvider on creation. The remoting system will then set the value on the formatter when it is inserted into the sink chain.
[C#]
IDictionary props = new Hashtable();
props["typeFilterLevel"] = "Full";
BinaryServerFormatterSinkProvider formatterProvider = new BinaryServerFormatterSinkProvider(props, null);
Setting the Serialization Level Using an Application Configuration File
To use a configuration file to set the serialization level, you must explicitly specify the typeFilterLevel attribute of the <formatter> element. Although this is typically done on the server side, you must also specify this attribute to control the serialization level for any channel on the client registered to listen for a callback. The following example sets the serialization level to Full for both the SoapFormatter and BinaryFormatter in this application domain.
<configuration>
<system.runtime.remoting>
<application>
<service>
<wellknown
type="ServiceType, common"
objectUri=" ServiceType.soap"
mode="Singleton"
/>
</service>
<channels>
<channel ref="http">
<serverProviders>
<provider ref="wsdl" />
<formatter ref="soap" typeFilterLevel=”Full” />
<formatter ref="binary" typeFilterLevel=”Full” />
</serverProviders>
</channel>
</channels>
</application>
</configuration>
