Abstract
In recent years, many vulnerabilities in deserialization mechanisms are reported. Serialization is converting an object to a byte string, and deserialization is converting the byte string to the object. Pickle is a serialization/deserialization module in Python standard library. In the pickle module, specially-crafted data consumes huge memory in deserialization. There is a possibility that the memory consumption leads to deniable of services attacks. This paper precisely describes the DoS attacks and their mitigations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Collections—Commons Collections Security Reports. https://commons.apache.org/proper/commons-collections/security-reports.html. Accessed 31 March 2018
Tomáš Polešovský. http://topolik-at-work.blogspot.jp/2016/04/java-deserialization-dos-payloads.html. Accessed 23 March 2018
Java-Deserialization-Cheat-Sheet. https://github.com/topolik/ois-dos/. Accessed 23 March 2018
Marco Slaviero—Sour Pickle. https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf. Accessed 23 March 2018
12.1. Pickle Python object serialization—Python 3.5.5 documentation. https://docs.python.org/3.5/library/pickle.html#module-pickle. Accessed 23 March 2018
cpython/pickletools.py at master—python/cpython. https://github.com/python/cpython/blob/master/Lib/pickletools.py. Accessed 23 March 2018
cpython/pickle.py at master—python/cpython. https://github.com/python/cpython/blob/master/Lib/pickle.py. Accessed 23 March 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
1.1 Reply from Python Team
This subsection describes Python team’s reply to our report on the DoS attacks (Fig. 2).
1.2 Changelog of Python Built-in Objects
This subsection describes the change history of Python built-in objects. Our DoS attacks were found in Python 3.5.2 and reported to Python team. However the changelog of the version 3.6.0 says as follows (Fig. 3).
This changelog is in python 3.6.0. An empty dictionary has reduced consumption memory with this change. However, an empty set consumes huge memory as in Python 3.5.2. The DoS attacks are still possible.
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Tanaka, K., Saito, T. (2019). Python Deserialization Denial of Services Attacks and Their Mitigations. In: Lee, R. (eds) Computational Science/Intelligence & Applied Informatics. CSII 2018. Studies in Computational Intelligence, vol 787. Springer, Cham. https://doi.org/10.1007/978-3-319-96806-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-96806-3_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-96805-6
Online ISBN: 978-3-319-96806-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)