Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the deficiencies of the built-in BinaryFormatter based .Net serialization?

Tags:

.net

serialization

What are the deficiencies of the built-in BinaryFormatter based .Net serialization? (Performance, flexibility, restrictions)

Please accompany your answer with some code if possible.

Example:

Custom objects being serialized must be decorated with the [Serializable] attribute or implement the ISerializable interface.

Less obvious example:

Anonymous types can not be serialized.

like image 414
Sam Saffron Avatar asked Mar 31 '09 21:03

Sam Saffron

People also ask

Why is BinaryFormatter insecure?

BinaryFormatter uses violates 2.), which is a huge security risk because it makes possible to run any code.

Why is BinaryFormatter obsolete?

Due to security vulnerabilities in BinaryFormatter, the following methods are now obsolete and produce a compile-time warning with ID SYSLIB0011 . Additionally, in ASP.NET Core 5.0 and later apps, they will throw a NotSupportedException, unless the web app has re-enabled BinaryFormatter functionality.

What is the serialization in net How is it affecting to .NET programming?

Serialization is a process of converting an object into a stream of data so that it can be is easily transmittable over the network or can be continued in a persistent storage location. This storage location can be a physical file, database or ASP.NET Cache.

What are the different types of serialization supported in .NET framework?

There are three types of serialization in . Net : Binary Serialization, SOAP Serialization and XML Serialization. Binary serialization is the process where you convert your . NET objects into byte stream.

2 Answers

If you mean BinaryFormatter:

  • being based on fields, is very version intolerant; change private implementation details and it breaks (even just changing it to an automatically implemented property)
  • isn't cross-compatible with other platforms
  • isn't very friendly towards new fields
  • is assembly specific (metadata is burnt in)
  • is MS/.NET specific (and possibly .NET version specific)
  • isn't obfuscation-safe
  • isn't especially fast, or small output
  • doesn't work on light frameworks (CF?/Silverlight)
  • has a depressing habit of pulling in things you didn't expect (usually via events)

I've spent lots of time in this area, including writing a (free) implementation of Google's "protocol buffers" serialization API for .NET; protobuf-net

This is:

  • smaller output and faster
  • cross-compatible with other implementations
  • extensible
  • contract-based
  • obfuscation safe
  • assembly independent
  • is an open documented standard
  • works on all versions of .NET (caveat: not tested on Micro Framework)
  • has hooks to plug into ISerializable (for remoting etc) and WCF
like image 107
Marc Gravell Avatar answered Oct 24 '22 20:10

Marc Gravell

Given any random object, it's very difficult to prove whether it really is serializable.

like image 25
Joel Coehoorn Avatar answered Oct 24 '22 20:10

Joel Coehoorn
Sign in to Comment

Related questions

How to launch MS Edge from c# winforms?
Explain 2 pairs of parentheses in expression.Compile()()
Is there a good library for dealing with the Modbus protocol in .NET? [closed]
How to run NUnit programmatically
How do I tell if my application is running in an RDP session
Why is Visual Studio not able to open .csproj files?
Exception handling: Is finally executed after throw?
Is there a way to have CodeDom put using statements before the namespace
deobfuscator for .Net
WCF and optional parameters
How can I change the text of an existing ToolTip control, in a PictureBox in my WinForm application?
WPF - MVVM - ComboBox SelectedItem
Is a null value in .NET DateTime guaranteed to be less than a real value?
Why are PropertyInfo SetValue and GetValue so slow?
Default Filename SaveFileDialog
Run-time Exception System.BadImageFormatException
Connecting to Oracle using Oracle.ManagedDataAccess
.NET Core 3.1 loading config from appsettings.json for console application
Is there an equivalent to 'sscanf()' in .NET?
Get plain text from an RTF text

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!