@@ -173,6 +173,32 @@ and then put them together as a list later, because struct lists are encoded as
struct values, not an array of pointers to struct values. You can, however, allocate any inner
objects embedded within those structs as orphans.
## Security
### Is Cap'n Proto secure?
What is your threat model?
### Sorry. Can Cap'n Proto be used to deserialize malicious messages?
Cap'n Proto's serialization layer is designed to be safe against malicious input. The Cap'n Proto implementation should never segfault, corrupt memory, leak secrets, execute attacker-specified code, consume excessive resources, etc. as a result of any sequence of input bytes. Moreover, the API is carefully designed to avoid putting app developers into situations where it is easy to write insecure code -- we consider it a bug in Cap'n Proto if apps commonly misuse it in a way that is a security problem.
With all that said, Cap'n Proto's C++ reference implementation has not yet undergone a formal security review. It may have bugs.
### Is it safe to use Cap'n Proto RPC with a malicious peer?
Cap'n Proto's RPC layer is explicitly designed to be useful for interactions between mutually-distrusting parties. Its capability-based security model makes it easy to express complex interactions securely.
At this time, the RPC layer is not robust against resource exhaustion attacks, possibly allowing denials of service.
### Is Cap'n Proto encrypted?
Cap'n Proto may be layered on top of an existing encrypted transport, such as TLS, but at this time it is the application's responsibility to add this layer. We plan to integrate this into the Cap'n Proto library proper in the future.
@@ -40,9 +40,19 @@ extremely fast Cap'n-Proto-specific compression scheme to remove them. Cap'n Pro
it's still faster.
When bandwidth really matters, you should apply general-purpose compression, like
[zlib](http://www.zlib.net/) or [Snappy](https://code.google.com/p/snappy/), regardless of your
[zlib](http://www.zlib.net/) or [LZ4](https://github.com/Cyan4973/lz4), regardless of your
encoding format.
**_Isn't this all horribly insecure?_**
No no no! To be clear, we're NOT just casting a buffer pointer to a struct pointer and calling it a day.
Cap'n Proto generates classes with accessor methods that you use to traverse the message. These accessors validate pointers before following them. If a pointer is invalid (e.g. out-of-bounds), the library can throw an exception or simply replace the value with a default / empty object (your choice).
Thus, Cap'n Proto checks the structural integrity of the message just like any other serialization protocol would. And, just like any other protocol, it is up to the app to check the validity of the content.
Cap'n Proto was built to be used in [Sandstorm.io](https://sandstorm.io), where security is a major concern. As of this writing, Cap'n Proto has not undergone a security review, therefore we suggest caution when handling messages from untrusted sources. That said, our response to security issues was once described by security guru Ben Laurie as ["the most awesome response I've ever had."](https://twitter.com/BenLaurie/status/575079375307153409)(Please report all security issues to [security@sandstorm.io](mailto:security@sandstorm.io).)
