serde_traitobject

Crates.ioserde_traitobject
lib.rsserde_traitobject
version0.2.8
sourcesrc
created_at2018-07-23 22:28:56.909235
updated_at2022-11-25 15:44:55.835371
descriptionSerializable and deserializable trait objects. This library enables the serialization and deserialization of trait objects such that they can be sent between other processes running the same binary.
homepagehttps://github.com/alecmocatta/serde_traitobject
repositoryhttps://github.com/alecmocatta/serde_traitobject
max_upload_size
id75691
size83,195
Alec Mocatta (alecmocatta)

documentation

https://docs.rs/serde_traitobject

README

serde_traitobject

Crates.io MIT / Apache 2.0 licensed Build Status

📖 Docs | 💬 Chat

Serializable and deserializable trait objects.

This library enables the serialization and deserialization of trait objects so they can be sent between other processes running the same binary.

For example, if you have multiple forks of a process, or the same binary running on each of a cluster of machines, this library lets you send trait objects between them.

Any trait can be made (de)serializable when made into a trait object by adding this crate's Serialize and Deserialize traits as supertraits:

trait MyTrait: serde_traitobject::Serialize + serde_traitobject::Deserialize {
    fn my_method(&self);
}

#[derive(Serialize, Deserialize)]
struct Message {
    #[serde(with = "serde_traitobject")]
    message: Box<dyn MyTrait>,
}

// Woohoo, `Message` is now serializable!

And that's it! The two traits are automatically implemented for all T: serde::Serialize and all T: serde::de::DeserializeOwned, so as long as all implementors of your trait are themselves serializable then you're good to go.

There are two ways to (de)serialize your trait object:

  • Apply the #[serde(with = "serde_traitobject")] field attribute, which instructs serde to use this crate's serialize and deserialize functions;
  • The Box, Rc and Arc structs, which are simple wrappers around their stdlib counterparts that automatically handle (de)serialization without needing the above annotation;

Additionally, there are several convenience traits implemented that extend their stdlib counterparts:

These are automatically implemented on all implementors of their stdlib counterparts that also implement serde::Serialize and serde::de::DeserializeOwned.

use std::any::Any;
use serde_traitobject as s;

#[derive(Serialize, Deserialize, Debug)]
struct MyStruct {
    foo: String,
    bar: usize,
}

let my_struct = MyStruct {
    foo: String::from("abc"),
    bar: 123,
};

let erased: s::Box<dyn s::Any> = s::Box::new(my_struct);

let serialized = serde_json::to_string(&erased).unwrap();
let deserialized: s::Box<dyn s::Any> = serde_json::from_str(&serialized).unwrap();

let downcast: Box<MyStruct> = Box::<dyn Any>::downcast(deserialized.into_any()).unwrap();

println!("{:?}", downcast);
// MyStruct { foo: "abc", bar: 123 }

Security

This crate works by wrapping the vtable pointer with relative::Vtable such that it can safely be sent between processes.

This approach is not yet secure against malicious actors. However, if we assume non-malicious actors and typical (static or dynamic) linking conditions, then it's not unreasonable to consider it sound.

See here for ongoing work in rustc to make this safe and secure.

Validation

Three things are serialized alongside the vtable pointer for the purpose of validation:

  • the build_id (128 bits);
  • the type_id of the trait object (64 bits);
  • the type_id of the concrete type (64 bits).

At some point in Rust's future, I think it would be great if the latter could be used to safely look up and create a trait object. As it is, that functionality doesn't exist yet, so what this crate does instead is serialize the vtable pointer (relative to a static base), and do as much validity checking as it reasonably can before it can be used and potentially invoke UB.

The first two are checked for validity before usage of the vtable pointer. The build_id ensures that the vtable pointer came from an invocation of an identically laid out binary1. The type_id ensures that the trait object being deserialized is the same type as the trait object that was serialized. They ensure that under non-malicious conditions, attempts to deserialize invalid data return an error rather than UB. The type_id of the concrete type is used as a sanity check that panics if it differs from the type_id of the concrete type to be deserialized.

Regarding collisions, the 128 bit build_id colliding is sufficiently unlikely that it can be relied upon to never occur. The 64 bit type_id colliding is possible, see rust-lang/rust#10389, though exceedingly unlikely to occur in practise.

The vtable pointer is (de)serialized as a usize relative to the vtable pointer of this static trait object. This enables it to work under typical dynamic linking conditions, where the absolute vtable addresses can differ across invocations of the same binary, but relative addresses remain constant.

All together this leaves, as far as I'm aware, three soundness holes:

  • A malicious user with a copy of the binary could trivially craft a build_id and type_id that pass validation and gives them control of where to jump to.
  • Data corruption of the serialized vtable pointer but not the build_id or type_id used for validation, resulting in a jump to an arbitrary address. This could be rectified in a future version of this library by using a cipher to make it vanishingly unlikely for corruptions to affect only the vtable pointer, by mixing the vtable pointer and validation components upon (de)serialization.
  • Dynamic linking conditions where the relative addresses (vtable - static vtable) are different across different invocations of the same binary. I'm sure this is possible, but it's not a scenario I've encountered so I can't speak to its commonness.

1I don't think this requirement is strictly necessary, as the type_id should include all information that could affect soundness (trait methods, calling conventions, etc), but it's included in case that doesn't hold in practise; to provide a more helpful error message; and to reduce the likelihood of collisions.

Note

This crate currently requires Rust nightly.

License

Licensed under either of

at your option.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Commit count: 101

cargo fmt