Поделиться через


Typed DataSet - Potential Performance And Security Risk

Are you using Typed DataSet as DTO (data transfer object)? Are you building distributed systems where the DTO goes back and forth including your Smart Client? If yes then I think you should be aware that the most of your DB schema can be easily revealed using my friends ILDASM and FindStr.

It is common pattern creating shared libraries that contain only data definitions. These libraries are shared/deployed usually to both client and the server.

In my example I created simple library called TypedDataSetSharedLibrary.dll. It holds Typed DataSet I generated from AdventureWorks sample database. I ran simple command line as follows:

ildasm.exe TypedDataSetSharedLibrary.dll /text | findstr /C:"ldstr" >"C:\TypedDataSetSharedLibrary.dll.Strings.txt"

Here is the fragment of what I see after opening the resulting file:

IL_00d7:  ldstr      "tableTypeName"
IL_00e4:  ldstr      "vEmployeeDataTable"
IL_001d:  ldstr      "The value for column 'Title' in table 'vEmployee' "
IL_001d:  ldstr      "The value for column 'MiddleName' in table 'vEmplo"
IL_001d:  ldstr      "The value for column 'Suffix' in table 'vEmployee'"
IL_001d:  ldstr      "The value for column 'Phone' in table 'vEmployee' "
IL_001d:  ldstr      "The value for column 'EmailAddress' in table 'vEmp"
IL_001d:  ldstr      "The value for column 'AddressLine2' in table 'vEmp"
IL_001d:  ldstr      "The value for column 'AdditionalContactInfo' in ta"
IL_0059:  ldstr      "XmlSchema"
IL_00a9:  ldstr      "vEmployee"
IL_00c9:  ldstr      "vEmployee"
IL_0031:  ldstr      "vEmployee"
IL_004f:  ldstr      "vEmployee"

It is clear that from such information an attacker may learn a lot about DB schema thus being able to craft her attacks more easily.

Why it is performance risk? Well, it is not but using this approach one could spot it.

Imagine that the above fragment only small representation of huge data set that travels the network. Recently I stumbled on such code. This simple check revealed that the code uses Typed DataSet of about 1000 columns. We assumed that this should be a problem from network throughput perspective and we ran some load tests using VSTS.

The result was pretty expected - almost all bandwidth was utilized by load of few simultaneous users.

Next time you design distributed system - take these into account.

Plus Dino Esposito once published another discussion around DataSets vs. Collections which might be useful too.

 

Enjoy

Comments

  • Anonymous
    July 26, 2007
    I am researching on best practices with WCF security in terms of "YOU SHOUD" vs "YOU CAN". While it is
  • Anonymous
    November 02, 2007
    Simple examination of IIS logs can reveal potential performance issues related to ASP.NET web applications,
  • Anonymous
    December 17, 2007
    This post walks through the steps I've taken to create simple Dynamic Data Web Application. I just loved
  • Anonymous
    January 21, 2008
    Care about performance? Do you write your code with performance in mind? Want little help to spot performance