I recently wrote a question, Good IPC Message Protocols?, and wrote it badly. I know I wrote it badly because %90 of the answers weren't to the question I wanted to ask. Sigh... I accept full responsibility and beg my brethren and sistren's forbearance. Achem... And I'll give it another go.

SHORT VERSION: What's the best way to serialise a message so as to make it easy for the receiver to reject bad messages?

LONG VERSION:

I'm building a client server app on Linux. The server has root privileges and does special root-like things on behalf of the client. The client talks to humans and passes requests to the server. For the communication between the client and server I'm using unix domain sockets, so I don't need to worry about encryption and I can even limit access with file system permissions. This is all on one machine, no network required.

Authentication happens inside the server on behalf of the user. So, for instance, the user submits a username, password and request. This means I base my trust on the provided credentials, not any assumptions about the client.

My #1 priority is ensuring that baddies can not trick my server into doing bad things. I assume that baddies own my client and everything in it. When my client passes a request to my server, I want that request to come in a very very strict format. I don't want it to be so strict that I have to pre-code every possible interaction, but I want it strict. Again, I'm talking about the format of the messages themselves, not the carrier protocol.

Said another way, if my server does SQL on behalf of the client, I really really don't want SQL injection attacks to happen.

I want to find the best way to serialize it so as to minimize the chance that I'll un-serialize it wrong. YAML, SOAP, etc... are good possibilities, but they're pretty broad and I think can get better security with something simpler and stricter.

Okay, I'm going to stop now. Hopefully this makes sense this time...

Thank you! If you've read this far, you are a hero!

--Pileofrogs

In reply to IPC Messages Redux by pileofrogs

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.