{"version":"1.0","type":"rich","provider_name":"Acast","provider_url":"https://acast.com","height":250,"width":700,"html":"<iframe src=\"https://embed.acast.com/$/65de32896569fa0017d17653/68dfffa65f95c3d419672226?\" frameBorder=\"0\" width=\"700\" height=\"250\"></iframe>","title":"Deserial Killer (with Matt Schwager)","description":"<p>Jared sits down with Trail of Bits security engineer Matt Schwager to discuss the persistent security risks of Ruby’s Marshal library. Matt explains that while Marshal (and Python’s Pickle) makes serialization simple and fast for tasks like caching, its “serialize anything” design has led to over a decade of recurring vulnerabilities. Despite repeated patches, new bugs and exploitation gadgets keep surfacing, often hidden in defaults or legacy code, as seen in Rails caching and RubyGems.org. Matt argues that this reflects a fundamental trade-off between ergonomics and security, suggesting alternatives like JSON are safer, though less convenient. He highlights mitigation strategies such as documentation, static analysis, and fuzzing with his tool Ruzzy, while also pointing to broader Ruby risks like eval misuse, SSRF, and supply chain issues. Jared reflects on the cultural tension in Ruby between ease of use and security, wondering if safer defaults could help developers avoid these common pitfalls.</p><p><br></p><p><strong>Links:</strong></p><p><br></p><p><a href=\"https://blog.trailofbits.com/\" rel=\"noopener noreferrer\" target=\"_blank\">Trail of Bits Blog</a></p><p><a href=\"https://ruby-doc.org/core-3.2.2/Marshal.html\" rel=\"noopener noreferrer\" target=\"_blank\">Ruby Marshal documentation</a></p><p><a href=\"https://docs.python.org/3/library/pickle.html\" rel=\"noopener noreferrer\" target=\"_blank\">Python Pickle documentation</a></p><p><a href=\"https://www.json.org/json-en.html\" rel=\"noopener noreferrer\" target=\"_blank\">JSON</a></p><p><a href=\"https://yaml.org/\" rel=\"noopener noreferrer\" target=\"_blank\">YAML</a></p><p><a href=\"https://toml.io/en/\" rel=\"noopener noreferrer\" target=\"_blank\">TOML</a></p><p><a href=\"https://msgpack.org/\" rel=\"noopener noreferrer\" target=\"_blank\">MessagePack</a></p><p><a href=\"https://guides.rubyonrails.org/caching_with_rails.html\" rel=\"noopener noreferrer\" target=\"_blank\">Rails Caching Guide</a></p><p><a href=\"https://rubygems.org/\" rel=\"noopener noreferrer\" target=\"_blank\">RubyGems.org</a></p><p><a href=\"https://github.com/rubygems/rubygems\" rel=\"noopener noreferrer\" target=\"_blank\">RubyGems source on GitHub</a></p><p><a href=\"https://github.com/trailofbits/ruzzy\" rel=\"noopener noreferrer\" target=\"_blank\">Ruzzy on GitHub</a></p><p><a href=\"https://github.com/google/AFL\" rel=\"noopener noreferrer\" target=\"_blank\">AFL on GitHub</a></p><p><a href=\"https://semgrep.dev/r\" rel=\"noopener noreferrer\" target=\"_blank\">Semgrep Registry</a></p><p><a href=\"https://www.blackhat.com/us-17/briefings.html#breaking-github-enterprise\" rel=\"noopener noreferrer\" target=\"_blank\">Black Hat USA 2017 Talk</a></p><p><br></p><p><strong>Dead Code Podcast Links:</strong></p><p><br></p><p><a href=\"https://hachyderm.io/@deadcode\" rel=\"noopener noreferrer\" target=\"_blank\">Mastodon</a></p><p><a href=\"https://twitter.com/DeadCodePod\" rel=\"noopener noreferrer\" target=\"_blank\">X</a></p><p><strong>Jared’s Links:</strong></p><p><br></p><p><a href=\"https://supergood.social/@jared\" rel=\"noopener noreferrer\" target=\"_blank\">Mastodon</a></p><p><a href=\"https://twitter.com/jardonamron\" rel=\"noopener noreferrer\" target=\"_blank\">X</a></p><p><a href=\"https://www.twitch.tv/jardonamron\" rel=\"noopener noreferrer\" target=\"_blank\">twitch.tv/jardonamron</a></p><p><a href=\"https://jardo.dev\" rel=\"noopener noreferrer\" target=\"_blank\">Jared’s Newsletter &amp; Website</a></p><p><br></p><p><a href=\"https://docs.google.com/document/d/1_63CGay8pmmmR8vbXBP0MijkhzcFB9x7xZwup3_Tlto/edit?tab=t.0\" rel=\"noopener noreferrer\" target=\"_blank\">Episode Transcript</a></p><p><br></p>","author_name":"Jared Norman"}