Migrated to MessagePack instead of BinaryFormatter

[grazy27]

Overview

This PR replaces BinaryFormatter serialization with the MessagePack library.
I was unable to contribute to #1166, so I’ve opened a new one.

Replacing BinaryFormatter addresses a range of issues, including:

• .NET 9 compatibility: Upgrading to .NET 9 requires a separate NuGet package, but this package is incompatible with .NET Framework 4.8, which is also targeted by the project.
• Dotnet.Interactive incompatibility: Using Dotnet.Interactive result in a smth like BinarySerializationDisabled exception. The only workaround currently is adding:

  AppContext.SetSwitch("System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization", true);

  to the beginning of the notebook. It doesn't work each time, it's hard to troubleshoot Dotnet.Interactive, since these exceptions constantly arise and prevent UDFs from execution.
• Deprecation: BinaryFormatter has been abandoned and is officially deprecated.

Compatibility Considerations

To ensure better compatibility with existing .NET types and reduce coupling with MessagePack, I opted to retain the Serializable and NonSerialized attributes.

One limitation of MessagePack is its handling of types with constructors containing parameters. If parameter names do not match the corresponding property or field names (e.g., a property _value and a constructor argument value), the parameters will not be automatically matched.

In such cases a default, parameterless constructor is required. If no default constructor is found, MessagePack throws a descriptive exception.

This PR fixes #1131.

---

Security Considerations

Using MessagePack improves serialization security by addressing common vulnerabilities associated with BinaryFormatter. Key points include:

1. Safe Deserialization:

   • MessagePack does not support arbitrary executable code. It can only serialize and deserialize objects and their properties. Delegates are not supported by design.
   • Data exchange occurs exclusively between the Driver and Worker, ensuring that the input being deserialized is the same as what was serialized by the application.

2. Typeless Mode:

   • Typeless mode is only used for deserializing custom objects. For primitives, an optimized serialization format is used, which adds a single byte for type information rather than serializing the entire System.Type.

3. Restricted Type Resolution:

   • The binary payload includes only type descriptions, not definitions.
   • This ensures that only types known to the application domain or located in the deserializing side’s probing paths can be deserialized, preventing malicious derived types from executing custom logic.

4. Mitigation of RCE (Remote Code Execution) Risks:

   • MessagePack Enhanced Security Mode is enabled to filter object types and disallow known vulnerable ones.
   • A custom filter is implemented to restrict deserialization to:
     • Simple types (primitives, collections, etc.)
     • Types explicitly marked with the [Serializable] attribute.

For reference, here’s an overview paper on potential RCE attack vectors with typeless MessagePack deserialization:
Generating Deserialization Payloads for MessagePack-C# Typeless Mode

[grazy27]

Otherwise messagePack cannot instantiate an ExternalClass instance, as it doesn't know what to use for argument.
We can either create a default parameter-less constructor, or rename field to match ctor argument name.

[wudanzy]

/AzurePipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wudanzy]

Just come back from Chinese New Year.

Hi @grazy27, I see #1166 says do not merge this PR. #1166 (comment)

Could you please summarize what was the blocker before and if that has been resolved in this PR?

[SparkSnail]

Why use the pre-release version?

[grazy27]

Thanks for noticing, I didn't see that checkbox 'Include pre-release' was checked

[grazy27]

Bumped up to the latest release one

[grazy27]

Aha, it seems like we don't have latest msgPack version in the Arcade nuget sources, and we don't have standard nuget.org enabled in nuget.config. And that version must have been the latest available in those feeds.

I'll have a look how to handle it, either choose existing in those sources version or add nuget.org to package sources

[grazy27]

Hello, @SparkSnail @wudanzy,

It turns out there's no release MessagePack 3 in feeds recommended by Arcade project.
It seems to be some internal Microsoft strategy, since there's no nuget.org feed in any of dotnet** projects. Example of removing commit

There's this pre-prelease 3.0.214 and release 2.5

There were breaking changes between 3.0 and 2.5, 2.5 has different API and requires additional efforts for making it work - and we'll have to spend more efforts to migrate back up when it appears.

I suggest using pre-prelease 3.0, as since it's already in the feed it must have passed some internal review. And if you know who can be reached out to include release 3.* version to the dotnet-public feed, your help would be appreciated

[wudanzy]

I see, if there's no security concerns, that's fine to me.

[SparkSnail]

that's fine, we can upgrade it in the future.

[grazy27]

Just come back from Chinese New Year.

Hi @grazy27, I see #1166 says do not merge this PR. #1166 (comment)

Could you please summarize what was the blocker before and if that has been resolved in this PR?

Hello, @wudanzy, welcome back!

The comment not to merge refers to a few reasons:

1. The PR is not fully completed and doesn't function properly

See my review comments inside.

2. A Microsoft dev pointed out that both BinarySerializer and MessagePack.Typeless are considered RCE-vulnerable and require additional approval from a manager.

For this one, I performed threat modeling and spent extra effort restricting and limiting serialization. Even though we control both serialization and deserialization sides, I ensured that it's not possible to serialize executable code or a custom class that the deserializing part doesn't recognize. Additionally, we can only serialize classes marked as Serializable, which limits known types. The MsgPack blacklist of dangerous classes is explicitly enabled in this PR.

Since Microsoft released a new NuGet package after pr was created, the author suggested skipping this PR entirely.

However, I later found that continuing with BinarySerializer caused too many other issues (see PR description). So, I fixed the existing problems, added additional security measures, changed required attributes from MessagePack to .NET standard ones and raised this PR.

[SparkSnail]

/AzurePipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wudanzy]

Hi @grazy27, thanks for picking this up and make it proceed!

[wudanzy]

How this is going to be used?

[grazy27]

If there's no 'System.Serializable' attribute defined, we won't allow deserialization. Mimics behavior of binarySerializer

[wudanzy]

Do we have a unit test to cover this?

[grazy27]

Yep

We haven't tested internal MessagePack rules, but that's covered inside messagepack itself

[wudanzy]

/AzurePipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).