Discussion BinaryFormatter Security

I think I get how the BinaryFormatter security issue could be exploited in a business PC environment, where unauthorized users could use it to possibly run malicious code on a PC.

But, In a single player game on a PC that is only being used by the person playing the game in question (which is the most likely scenario for most games), how exactly could the BinaryFormatter security issue manifest itself?

Been meaning to ask for a while, because I see this mentioned on many occasions, and have never yet seen an explanation.

I'm not advocating using BinaryFormatter over something like JSON in most cases, but the security issue isn't usually the main reason I would make that choice.

 

Sharing of save files is one possibility. If a game got popular enough, one could share a save file which instead damages a users computer.

Bottom line is there's no point risking it. There's no real benefit to using the binary formatter anyway.

 

That's a good point, which hadn't occurred to me and is the answer I was missing.

As I mentioned, there are plenty of other reasons to use something other than BinaryFormatter for saving data, I just couldn't think of how it could be exploited in the usage case described in my opening post.

 

Right, it may also depend on how and for what purpose the BinaryFormatter is used. If it's used to serialize data for network connections (which was it's original purpose as it's part of the Remoting protocol).

 

So what happens it gives the hacker access to remote procedure call and the ability to modify a script and create files or hijack system resource? If the game contains a script that runs here then the player can connect to another player?
What happens?
Why use binary formatter at all?

 

Other potential issues would be actual malware that infects save files of games..

 

I already guessed it could be an issue for multiplayer games, which is why I specified single player in my question.

I've developed multiplayer games myself and avoided the use of BinaryFormatter for serializing data because of the security issue.

 

So the binary formatter is for noobs, but a pro will format the binary in script themselves. And it will be specific. And secure. And not provide a general utility.

 

even if you still want binary saves, you can work around this just by using a more structured binary format of your own making. That can also result in faster loading and allow the save files to have a few other nice features like being seekable and, having built in checksums and easily being able to read metadata out of the save without loading the whole thing.

 

The

BinaryFormatter

resolves serialized data types using

Type.GetType

. When

Type.GetType

tries to resolve a type it will attempt to load the assembly that it belongs to. Assemblies can have "module initializers" which when they are loaded will be executed and they can contain any code.

https://stackoverflow.com/questions...call-type-gettype-with-an-untrusted-type-name
https://stackoverflow.com/questions...-deserialise-malicious-code/67107584#67107584