May 10, 2002 tools

SafeFormatter for .NET

Are you building and deploying .NET applications in a secure environment, e.g. over the intranet or the internet? If so, they you’ve probably mourned the loss of the binary and SOAP formatters that can automatically serialize a graph of objects that are marked as [Serializable] and that may also implement ISerializable and IDeserializationCallback. Both of these formatters are dependent on reflection, which will not be available in a more restrictive security environment. Likewise, even ISerialization.GetObjectData is verboten if you wanted to do this kind of thing yourself. As far as that goes, [Serializable] and ISerialization should be forbidden in a secure environment, as it allows a client to get and set the private variables of an object, potentially causing harm.

Still, security is the enemy of usability, to paraphrase Keith Brown. So, in the spirit of a balancing the design need for objects that can serialize themselves with the goal of complete disclosure in a secure world, I’ve built my own safe” formatter. It only uses facilities of the runtime that work in the most secure environment of the default settings for the internet zone. So that objects can guard themselves against malicious data, I define a new interface called ISafelySerializeable that they need to implement to support this serialization facility. The protocol is exactly the same as ISerializable, so if that interface is already being implemented, the implementation of GetObjectData can be shared between both interfaces.

Currently, the code is in alpha and is riddled with TODO statements, but its functional enough today for actual usage. My SafeFormatter and test harness are available for your feedback. Enjoy.