Serialization formats aren’t toys
Do you have an API? Do you accept input from users? Do you accept it in XML? What about YAML? Or maybe JSON? How safe are you? How sure are you?
It’s not in the OWASP Top 10, but you don’t have to look far to hear stories of security vulnerabilities involving deserialization user inputs. Why do they keep happening?
In this talk I’ll go over what the threat is, how you are making yourself vulnerable and how to mitigate the problem. I’ll cover the features (not bugs, features) of formats like XML, YAML, and JSON that make them surprisingly dangerous, and how to protect your code from them.
Because here’s the thing: If you are using, say, a compliant, properly implemented XML parser to parse your XML, you are NOT safe. Possibly quite the opposite.
Using Cython for distributed-multiprocess steganographic md5sum-collision generation. For… reasons
Cython is brilliant, it looks like Python but compiles to native C. It can be used as a simple way of writing lightning-fast C extensions for Python, or for a simple means of hooking into already-existing C libraries. If you are writing CPU intensive applications, like, say, hypothetically, cracking one-way cryptographic functions, Cython is a perfect mixture of simple expressiveness while making sure the ‘inner loop’ of your code is running as close to the bare metal as possible.
And that’s all this talk will be about, honest.
Why are you looking at me like that?
Tom is a senior Python developer and technical lead for Catalyst IT, New Zealand’s largest company specialising in open source. Prior to that he worked as a developer and system administrator for the University of Otago Faculty of Medicine and as a Computer Science tutor for same.