Protocol Buffers SystemParameters rules materialization DoS PoC

This repository contains a benign security research PoC for a protobuf binary artifact that drives large repeated-message materialization during google.api.system_parameter_pb2.SystemParameters.ParseFromString(...).

Files:

  • control_one_rule.pb
  • malicious_rules_5000000.pb
  • reproduce.py

Observed behavior:

  • control artifact:
    • parses successfully with one rules entry
  • malicious artifact:
    • both files are 10,000,000 bytes
    • parses successfully with 5,000,000 rules entries
    • increases peak RSS by about 252084 kB in local clean-process replay
    • takes about 11.30x the control parse time

Tested runtime:

  • protobuf==7.35.1
  • Python: /usr/bin/python3

Public files:

  • https://huggingface.co/hacnho/protobuf-systemparameters-rules-dos-poc/resolve/main/control_one_rule.pb
  • https://huggingface.co/hacnho/protobuf-systemparameters-rules-dos-poc/resolve/main/malicious_rules_5000000.pb
  • https://huggingface.co/hacnho/protobuf-systemparameters-rules-dos-poc/resolve/main/reproduce.py

Reproduction:

python3 reproduce.py
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support