[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content

Python Deserialization Denial of Services Attacks and Their Mitigations

  • Chapter
  • First Online:
Computational Science/Intelligence & Applied Informatics (CSII 2018)

Part of the book series: Studies in Computational Intelligence ((SCI,volume 787))

Abstract

In recent years, many vulnerabilities in deserialization mechanisms are reported. Serialization is converting an object to a byte string, and deserialization is converting the byte string to the object. Pickle is a serialization/deserialization module in Python standard library. In the pickle module, specially-crafted data consumes huge memory in deserialization. There is a possibility that the memory consumption leads to deniable of services attacks. This paper precisely describes the DoS attacks and their mitigations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 71.50
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 89.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
GBP 89.99
Price includes VAT (United Kingdom)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Collections—Commons Collections Security Reports. https://commons.apache.org/proper/commons-collections/security-reports.html. Accessed 31 March 2018

  2. Tomáš Polešovský. http://topolik-at-work.blogspot.jp/2016/04/java-deserialization-dos-payloads.html. Accessed 23 March 2018

  3. Java-Deserialization-Cheat-Sheet. https://github.com/topolik/ois-dos/. Accessed 23 March 2018

  4. Marco Slaviero—Sour Pickle. https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf. Accessed 23 March 2018

  5. 12.1. Pickle Python object serialization—Python 3.5.5 documentation. https://docs.python.org/3.5/library/pickle.html#module-pickle. Accessed 23 March 2018

  6. cpython/pickletools.py at master—python/cpython. https://github.com/python/cpython/blob/master/Lib/pickletools.py. Accessed 23 March 2018

  7. cpython/pickle.py at master—python/cpython. https://github.com/python/cpython/blob/master/Lib/pickle.py. Accessed 23 March 2018

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Kousei Tanaka .

Editor information

Editors and Affiliations

Appendix

Appendix

1.1 Reply from Python Team

This subsection describes Python team’s reply to our report on the DoS attacks (Fig. 2).

Fig. 2
figure 2

Python team’s reply

1.2 Changelog of Python Built-in Objects

This subsection describes the change history of Python built-in objects. Our DoS attacks were found in Python 3.5.2 and reported to Python team. However the changelog of the version 3.6.0 says as follows (Fig. 3).

Fig. 3
figure 3

Dict object

This changelog is in python 3.6.0. An empty dictionary has reduced consumption memory with this change. However, an empty set consumes huge memory as in Python 3.5.2. The DoS attacks are still possible.

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Tanaka, K., Saito, T. (2019). Python Deserialization Denial of Services Attacks and Their Mitigations. In: Lee, R. (eds) Computational Science/Intelligence & Applied Informatics. CSII 2018. Studies in Computational Intelligence, vol 787. Springer, Cham. https://doi.org/10.1007/978-3-319-96806-3_2

Download citation

Publish with us

Policies and ethics