Protocol Buffers SystemParameterRule parameters materialization DoS PoC
This repository contains a benign security research PoC for a protobuf binary
artifact that drives large repeated-message materialization during
google.api.system_parameter_pb2.SystemParameterRule.ParseFromString(...).
Files:
control_one_parameter.pbmalicious_parameters_5000000.pbreproduce.py
Observed behavior:
- control artifact:
- parses successfully with one
parametersentry
- parses successfully with one
- malicious artifact:
- both files are
10,000,000bytes - parses successfully with
5,000,000parametersentries - increases peak RSS by about
369800 kBin local clean-process replay - takes about
15.38xthe control parse time
- both files are
Tested runtime:
protobuf==7.35.1- Python:
/usr/bin/python3
Public files:
https://huggingface.co/hacnho/protobuf-systemparameterrule-parameters-dos-poc/resolve/main/control_one_parameter.pbhttps://huggingface.co/hacnho/protobuf-systemparameterrule-parameters-dos-poc/resolve/main/malicious_parameters_5000000.pbhttps://huggingface.co/hacnho/protobuf-systemparameterrule-parameters-dos-poc/resolve/main/reproduce.py
Reproduction:
python3 reproduce.py
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support