speedy icon indicating copy to clipboard operation
speedy copied to clipboard
verified publisher icon koute

Please include this informatin in the README

Open dpc opened this issue 3 years ago • 1 comments

Hi,

I'm considering using speedy but I need to confirm certain important properties:

  • stable? (can store long term data and expect they will encode with future versions)
  • safe to use against (possibly) malicious data?
  • deterministic and non-malleable (only one valid and accepted encoding for any value - important in certain cryptographic contexts)?

dpc avatar Dec 23 '22 23:12 dpc

stable? (can store long term data and expect they will encode with future versions)

Yes. (Actually, this is already mentioned in the readme.)

safe to use against (possibly) malicious data?

Mostly yes, but not entirely. 1) It trusts the lengths of the Vecs/etc. it reads and tries to preallocate that much memory, so without adding a limit there it could be vulnerable to a DoS attack, 2) it assumes the lengths it reads are less than 8 exabytes (this allows some extra LLVM optimizations; not sure what exactly the consequences would be if this is violated), and 3) there's a certain amount of unsafe in there, and assuming it's bug free it should be safe, but I'd suggest fuzzying just in case.

deterministic and non-malleable (only one valid and accepted encoding for any value - important in certain cryptographic contexts)?

Mostly yes, but not entirely. bool is always encoded as 1 but can be any non-zero value when decoded (this also applies to Option's implicit bool). Beside that everything else should have only one possible encoding, IIRC.

koute avatar Dec 24 '22 04:12 koute