Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the deficiencies of the built-in BinaryFormatter based .Net serialization?

What are the deficiencies of the built-in BinaryFormatter based .Net serialization? (Performance, flexibility, restrictions)

Please accompany your answer with some code if possible.

Example:

Custom objects being serialized must be decorated with the [Serializable] attribute or implement the ISerializable interface.

Less obvious example:

Anonymous types can not be serialized.

like image 414
Sam Saffron Avatar asked Mar 31 '09 21:03

Sam Saffron


People also ask

Why is BinaryFormatter insecure?

BinaryFormatter uses violates 2.), which is a huge security risk because it makes possible to run any code.

Why is BinaryFormatter obsolete?

Due to security vulnerabilities in BinaryFormatter, the following methods are now obsolete and produce a compile-time warning with ID SYSLIB0011 . Additionally, in ASP.NET Core 5.0 and later apps, they will throw a NotSupportedException, unless the web app has re-enabled BinaryFormatter functionality.

What is the serialization in net How is it affecting to .NET programming?

Serialization is a process of converting an object into a stream of data so that it can be is easily transmittable over the network or can be continued in a persistent storage location. This storage location can be a physical file, database or ASP.NET Cache.

What are the different types of serialization supported in .NET framework?

There are three types of serialization in . Net : Binary Serialization, SOAP Serialization and XML Serialization. Binary serialization is the process where you convert your . NET objects into byte stream.


2 Answers

If you mean BinaryFormatter:

  • being based on fields, is very version intolerant; change private implementation details and it breaks (even just changing it to an automatically implemented property)
  • isn't cross-compatible with other platforms
  • isn't very friendly towards new fields
  • is assembly specific (metadata is burnt in)
  • is MS/.NET specific (and possibly .NET version specific)
  • isn't obfuscation-safe
  • isn't especially fast, or small output
  • doesn't work on light frameworks (CF?/Silverlight)
  • has a depressing habit of pulling in things you didn't expect (usually via events)

I've spent lots of time in this area, including writing a (free) implementation of Google's "protocol buffers" serialization API for .NET; protobuf-net

This is:

  • smaller output and faster
  • cross-compatible with other implementations
  • extensible
  • contract-based
  • obfuscation safe
  • assembly independent
  • is an open documented standard
  • works on all versions of .NET (caveat: not tested on Micro Framework)
  • has hooks to plug into ISerializable (for remoting etc) and WCF
like image 107
Marc Gravell Avatar answered Oct 24 '22 20:10

Marc Gravell


Given any random object, it's very difficult to prove whether it really is serializable.

like image 25
Joel Coehoorn Avatar answered Oct 24 '22 20:10

Joel Coehoorn