[cl-store-devel] On the security of cl-store

Sean Ross rosssd at gmail.com
Sun Mar 7 11:34:36 UTC 2010 

On 7 Mar 2010, at 05:45, Elliott Slaughter wrote:

> Hi,
> 
> I would like to use cl-store to serialize messages sent over a network connection and am wondering if cl-store has any known security issues. I know, for example, that pickle in python can be used to execute arbitrary code when deserializing an object [1]. Does cl-store have any obvious issues like this?

Hi Elliot,

  All deserialization in the default backend is done via read-byte which is then fed into custom constructors so I would be
 quite confident in saying that cl-store isn't vulnerable to arbitrary code execution.

 One possible source of concern would be hash-table & function restoration; A carefully crafted  data stream could create a data 
 structure with a malicious function. As an example if you had  the following function defined in your image

(defun clear-all-data (a b)
   ... ; some code which deletes all data from your database
)

then a stream could be crafted which, when loaded, would create a hash-table with this function as the hash-table-test.
If your lisp allows arbitrary hash table tests then this would run clear-all-data when using the hash-table.

If you are concerned about this, a work around would be to create a new backend which extends the cl-store-backend
and override the hash-table restore to only allow symbols and/or only allow a certain set of tests.

Additionally CLISP has support for restoration of arbitrary closures which would allow the same attack but without the 
requirement that the function be predefined. If you are using CLISP I would suggest extending the default backend
and using the following definitions for function storing and restoring.

(defstore-cl-store (obj function stream)
  (output-type-code +function-code+ stream)
  (store-object (get-function-name obj) stream))

(defrestore-cl-store (function stream)
  (fdefinition (restore-object stream)))



 To my knowledge the only other vulnerabilities would revolve around uses of eval, read or read-from-string which cl-store 
 does not use.


Regards,
 Sean.


> 
> Thanks.
> 
> [1] http://nadiana.com/python-pickle-insecure
> 
> -- 
> Elliott Slaughter
> 
> "Don't worry about what anybody else is going to do. The best way to predict the future is to invent it." - Alan Kay
> _______________________________________________
> cl-store-devel mailing list
> cl-store-devel at common-lisp.net
> http://common-lisp.net/cgi-bin/mailman/listinfo/cl-store-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/cl-store-devel/attachments/20100307/44528d78/attachment.html>

More information about the cl-store-devel mailing list