Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In his talk titled "Remembering (ok, not really Sarah) Marshal" at RubyKaigi 2024, Samuel Giddins explores the binary serialization format Marshall used in Ruby, highlighting its history, functionality, and security implications. Giddins first introduces himself as a maintainer of RubyGems and emphasizes his focus on security within the Ruby ecosystem. He humorously navigates through the challenges of creating engaging content about a technical topic like Marshall while ensuring the audience remains engaged. Key Points Discussed: - **Introduction to Marshall**: Giddins explains that Marshall is a binary file format that has long been a part of Ruby, used for serializing Ruby object graphs into a compact binary format. - **Hex Dump Breakdown**: He demonstrates how to read a hex dump of a simple Marshall document, breaking it down byte by byte, which serves as a foundational illustration for understanding its structure and components. - **Tag-Length-Value Structure**: The talk delves into the tag-length-value characteristic of Marshall, contrasting it with more familiar formats like JSON and YAML. He explains the various data types supported by Marshall, including strings, symbols, arrays, and more. - **Security Concerns**: Giddins highlights the significant security vulnerabilities associated with using Marshall for deserialization, citing the OWASP guidelines and historical incidents that led to malicious exploits through deserialized objects. - **The Need for Caution**: Due to potential vulnerabilities in Marshall, Giddins advises against using it in scenarios where untrusted data is involved, suggesting alternatives like JSON. - **Exploration of SafeMarshall**: He presents his initiative to make Marshall safer through a new module, SafeMarshall, which introduces checks and limitations to prevent arbitrary code execution during deserialization. Although he cautions against widespread uptake due to its speed and limitations, he assures that it is better than using the original Marshall with untrusted inputs. Conclusion/Takaways: - Giddins finishes by acknowledging the charm and utility of Marshall despite its drawbacks, encouraging users to exercise care with deserialization of untrusted data and pointing out that the SafeMarshall approach may prove beneficial in mitigating some risks. - The talk serves as both an informative exploration of Marshall and a cautionary tale regarding security in serialization practices in programming.
Suggest modifications
Cancel
