BinaryFormatter 安全指南BinaryFormatter security guide

本文适用于以下 .NET 实现:This article applies to the following .NET implementations:

  • 所有版本的 .NET Framework.NET Framework all versions
  • .NET Core 2.1 - 3.1.NET Core 2.1 - 3.1
  • .NET 5.0 及更高版本.NET 5.0 and later

背景Background

警告

BinaryFormatter 类型会带来风险,不建议将其用于数据处理。The BinaryFormatter type is dangerous and is not recommended for data processing. 即使应用程序认为自己正在处理的数据是可信的,也应尽快停止使用 BinaryFormatterApplications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter 不安全,无法确保安全。BinaryFormatter is insecure and can't be made secure.

本文适用于以下类型:This article also applies to the following types:

反序列化漏洞是指不安全地处理请求有效负载的威胁类别。Deserialization vulnerabilities are a threat category where request payloads are processed insecurely. 成功利用这些漏洞攻击应用的攻击者可导致目标应用内出现拒绝服务 (DoS)、信息泄露或远程代码执行。An attacker who successfully leverages these vulnerabilities against an app can cause denial of service (DoS), information disclosure, or remote code execution inside the target app. 此风险类别始终是 10 项最严重的 OWASP 风险之一。This risk category consistently makes the OWASP Top 10. 攻击目标包括使用多种语言(包括 C/C++、Java 和 C#)编写的应用。Targets include apps written in a variety of languages, including C/C++, Java, and C#.

在 .NET 中,风险最大的目标是使用 BinaryFormatter 类型来反序列化数据的应用。In .NET, the biggest risk target is apps that use the BinaryFormatter type to deserialize data. BinaryFormatter 因为其强大的功能和易用性而广泛用于整个 .NET 生态系统。BinaryFormatter is widely used throughout the .NET ecosystem because of its power and its ease of use. 但是,其强大的功能也让攻击者能够影响目标应用内的控制流。However, this same power gives attackers the ability to influence control flow within the target app. 成功的攻击可能导致攻击者能够在目标进程的上下文中运行代码。Successful attacks can result in the attacker being able to run code within the context of the target process.

更简单的比喻是,假设在有效负载上调用 BinaryFormatter.Deserialize 相当于将该有效负载解释为独立的可执行文件并启动它。As a simpler analogy, assume that calling BinaryFormatter.Deserialize over a payload is the equivalent of interpreting that payload as a standalone executable and launching it.

BinaryFormatter 安全漏洞BinaryFormatter security vulnerabilities

警告

BinaryFormatter.Deserialize 方法用于不受信任的输入时,该方法永远都不安全。The BinaryFormatter.Deserialize method is never safe when used with untrusted input. 强烈建议使用者改为考虑使用本文后面概述的替代方法之一。We strongly recommend that consumers instead consider using one of the alternatives outlined later in this article.

BinaryFormatter 是在反序列化漏洞成为一个众所周知的威胁类别之前实现的。BinaryFormatter was implemented before deserialization vulnerabilities were a well-understood threat category. 因此,代码不遵循现代最佳做法。As a result, the code does not follow modern best practices. Deserialize 方法可用作攻击者对使用中的应用执行 DoS 攻击的载体。The Deserialize method can be used as a vector for attackers to perform DoS attacks against consuming apps. 这些攻击可能导致应用无响应或进程意外终止。These attacks might render the app unresponsive or result in unexpected process termination. 使用 SerializationBinder 或任何其他 BinaryFormatter 配置开关都无法缓解此类攻击。This category of attack cannot be mitigated with a SerializationBinder or any other BinaryFormatter configuration switch. .NET 认为此行为是设计使然,因此不会发布代码更新来修改此行为。.NET considers this behavior to be by design and won't issue a code update to modify the behavior.

使用 BinaryFormatter.Deserialize 可能容易遭受其他攻击类别的攻击,如信息泄露或远程代码执行。BinaryFormatter.Deserialize may be vulnerable to other attack categories, such as information disclosure or remote code execution. 利用自定义 SerializationBinder 等功能可能不足以适当缓解这些风险。Utilizing features such as a custom SerializationBinder may be insufficient to properly mitigate these risks. 存在发现新漏洞的可能性,而 .NET 实际上无法为此发布安全更新。The possibility exists that a novel vulnerability will be discovered for which .NET cannot practically publish a security update. 使用者应该评估其各个应用场景,并考虑他们遇到这些风险的可能性。Consumers should assess their individual scenarios and consider their potential exposure to these risks.

我们建议 BinaryFormatter 使用者对其应用执行单独的风险评估。We recommend that BinaryFormatter consumers perform individual risk assessments on their apps. 由使用者完全负责确定是否利用 BinaryFormatterIt is the consumer's sole responsibility to determine whether to utilize BinaryFormatter. 使用者应该对使用 BinaryFormatter 的安全性、技术、声誉、法律和监管要求进行风险评估。Consumers should risk assess the security, technical, reputation, legal, and regulatory requirements of using BinaryFormatter.

首选替代方法Preferred alternatives

.NET 提供了多个随附的序列化程序,可用于安全处理不受信任的数据:.NET offers several in-box serializers that can handle untrusted data safely:

危险的替代方法Dangerous alternatives

避免使用以下序列化程序:Avoid the following serializers:

上述序列化程序都执行不受限制的多态反序列化,并且会带来风险,就像 BinaryFormatter 一样。The preceding serializers all perform unrestricted polymorphic deserialization and are dangerous, just like BinaryFormatter.

假设数据值得信任的风险The risks of assuming data to be trustworthy

通常,应用开发人员可能会认为他们只是在处理受信任的输入。Frequently, an app developer might believe that they are processing only trusted input. 在一些罕见的情况下,可实现真正的安全输入。The safe input case is true in some rare circumstances. 但更常见的情况是,有效负载跨越了信任边界,而开发人员却没有意识到这一点。But it's much more common that a payload crosses a trust boundary without the developer realizing it.

考虑本地服务器,员工在其中使用其工作站的桌面客户端与服务进行交互。Consider an on-prem server where employees use a desktop client from their workstations to interact with the service. 这个场景可能被天真地视为可以接受使用 BinaryFormatter 的“安全”设置。This scenario might be seen naïvely as a "safe" setup where utilizing BinaryFormatter is acceptable. 但是,这个场景为恶意软件提供了一个载体,使恶意软件能够访问单个员工的计算机,从而能够在整个企业中传播。However, this scenario presents a vector for malware that gains access to a single employee's machine to be able to spread throughout the enterprise. 该恶意软件可以利用企业使用 BinaryFormatter 造成的漏洞,从员工的工作站横向移动到后端服务器。That malware can leverage the enterprise's use of BinaryFormatter to move laterally from the employee's workstation to the backend server. 然后,它可以泄露公司的敏感数据。It can then exfiltrate the company's sensitive data. 此类数据可能包括商业机密或客户数据。Such data could include trade secrets or customer data.

还考虑使用借助 BinaryFormatter 来保持保存状态的应用。Consider also an app that uses BinaryFormatter to persist save state. 最初看来这似乎是一个安全的方案,因为在你自己的硬盘驱动器上读写数据威胁较低。This might at first seem to be a safe scenario, as reading and writing data on your own hard drive represents a minor threat. 但是,通过电子邮件或 Internet 共享文档是很常见的,并且大多数最终用户不会认为打开这些下载的文件属于危险行为。However, sharing documents across email or the internet is common, and most end users wouldn't perceive opening these downloaded files as risky behavior.

攻击者可以利用此场景来制造恶意结果。This scenario can be leveraged to nefarious effect. 如果应用是一款游戏,则共享保存文件的用户会在不知情的情况下面临风险。If the app is a game, users who share save files unknowingly place themselves at risk. 开发者自身也可能成为目标。The developers themselves can also be targeted. 攻击者可能会通过电子邮件向开发者的技术支持人员发送电子邮件,并添加恶意数据文件作为附件,然后要求支持人员打开该文件。The attacker might email the developers' tech support, attaching a malicious data file and asking the support staff to open it. 这种攻击可以为攻击者提供一个在企业中的据点。This kind of attack could give the attacker a foothold in the enterprise.

另一种场景是数据文件存储在云存储空间中,并在用户的计算机之间自动同步。Another scenario is where the data file is stored in cloud storage and automatically synced between the user's machines. 能够访问云存储帐户的攻击者可以对数据文件进行病毒攻击。An attacker who is able to gain access to the cloud storage account can poison the data file. 此数据文件将自动同步到用户的计算机。This data file will be automatically synced to the user's machines. 用户下一次打开数据文件时,攻击者的有效负载就会运行。The next time the user opens the data file, the attacker's payload runs. 因此,攻击者可以利用云存储帐户泄露来获得完整的代码执行权限。Thus the attacker can leverage a cloud storage account compromise to gain full code execution permissions.

考虑从桌面安装模型迁移到云优先模型的应用。Consider an app that moves from a desktop-install model to a cloud-first model. 此场景包括从桌面应用或丰富客户端模型迁移到基于 Web 的模型的应用。This scenario includes apps that move from a desktop app or rich client model into a web-based model. 任何为桌面应用绘制的威胁模型都不一定适用于基于云的服务。Any threat models drawn for the desktop app aren't necessarily applicable to the cloud-based service. 桌面应用的威胁模型可能会消除某个给定的威胁,因为“客户端对攻击自己不感兴趣”。The threat model for the desktop app might dismiss a given threat as "not interesting for the client to attack itself." 但是,当考虑到远程用户(客户端)攻击云服务本身时,同样的威胁可能会变得有意义。But that same threat might become interesting when it considers a remote user (the client) attacking the cloud service itself.

备注

通常,序列化的目的是将对象传入或传出应用。In general terms, the intent of serialization is to transmit an object into or out of an app. 威胁建模练习几乎始终将此类数据传输标记为跨越信任边界。A threat modeling exercise almost always marks this kind of data transfer as crossing a trust boundary.

其他资源Further resources