Starting with .NET 9, we no longer include an implementation of
\nBinaryFormatter in the runtime (.NET Framework remains unchanged). The APIs
\nare still present, but their implementation always throws an exception,
\nregardless of project type. Hence, setting the existing backwards compatibility
\nflag is no longer sufficient to use BinaryFormatter.<\/p>\n
In this blog post, I\u2019ll explain why this change was made and what options you
\nhave to move forward.<\/p>\n
You have two options to address the removal of BinaryFormatter\u2018s
\nimplementation:<\/p>\n
Migrate away from BinaryFormatter<\/strong>. We strongly recommend that you Note<\/strong><\/p>\n Please note that .NET Framework is unaffected by this change and continues to include an implementation of BinaryFormatter. However, we still strongly recommend to stop using BinaryFormatter from .NET Framework too, for the same reasons.<\/p><\/div>\n Any deserializer, binary or text, that allows its input to carry information We strongly believe that .NET should make it easy for customers to do the right Shipping a technology that is widely regarded as unsafe is counter to this goal. This removal was not a sudden change. Due to the known risks of using Since then, we have been on the path to removing BinaryFormatter, slowly 2020: BinaryFormatter Obsoletion Plan<\/a> In .NET 9 we removed all remaining in-box dependencies on BinaryFormatter and New code should not take a dependency on BinaryFormatter. For existing code, I\u2019ll explore these options in more detail below.<\/p>\n You should first investigate whether you can replace BinaryFormatter with Text-based<\/strong>. If a binary serialization format is not a requirement, you can JSON using\u202fSystem.Text.Json<\/a> Binary<\/strong> If a compact binary representation is important for your scenarios, MessagePack\u202fusing\u202fMessagePack for C#<\/a> Since DataContractSerializer honors the same attribute and interface as If your code doesn\u2019t control the serialization but only the deserialization (for using System.Formats.Nrbf;<\/p>\n void Read(Stream payload) if (rootObject is PrimitiveTypeRecord primitiveRecord) For more details, check out the Nrbf documentation<\/a>.<\/p>\n If you have explored the options and determined you can\u2019t migrate away from <PropertyGroup> <ItemGroup> The package replaces the in-box implementation of BinaryFormatter with a Since the BinaryFormatter API still exists and this package only replaces the Caution<\/strong><\/p>\n The compatibility package is not supported and unsafe. We strongly recommend Since the start of .NET Core we have been on a path of deprecating Starting with .NET 9, we no longer ship an implementation with the runtime. We The post BinaryFormatter removed from .NET 9<\/a> appeared first on .NET Blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" Starting with .NET 9, we no longer include an implementation of BinaryFormatter in the runtime (.NET Framework remains unchanged). The […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[7],"tags":[],"class_list":["post-1183","post","type-post","status-publish","format-standard","hentry","category-dotnet"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/1183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=1183"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/1183\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=1183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=1183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=1183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\ninvestigate options to stop using BinaryFormatter due to the associated
\nsecurity risks. The BinaryFormatter migration guide<\/a> lists
\nseveral options.
\nKeep using BinaryFormatter<\/strong>. If you need to continue using
\nBinaryFormatter in .NET 9, you need to depend on the unsupported
\nSystem.Runtime.Serialization.Formatters<\/a> NuGet package,
\nwhich restores the unsafe legacy functionality and replaces the throwing implementation.<\/p>\nWhat\u2019s the risk in using BinaryFormatter?<\/h2>\n
\nabout the objects to be created is a security problem waiting to happen. There
\nis a common weakness enumeration (CWE) that describes the issue: CWE-502
\n\u201cDeserialization of Untrusted Data\u201d<\/a>. BinaryFormatter, included in the
\nthe initial release of .NET Framework in 2002, is such a deserializer. We also
\ncover this in the BinaryFormatter security guide<\/a>.<\/p>\nWhy we removed BinaryFormatter<\/h2>\n
\nthing and hard, if not impossible, to do the wrong thing. We generally refer to
\nthis as the \u201cpit of success\u201d.<\/p>\n
\nAt the same time, we also have a responsibility to ensure customers can support
\nand move their existing code forward. We can\u2019t just remove widely used
\ncomponents from a .NET release, even when communicated long in advance. We also
\nneed a migration plan and stop gap options.<\/p>\n
\nBinaryFormatter, we excluded it from .NET Core 1.0. But without a clear
\nmigration path to using something safer, customer demand led to
\nBinaryFormatter being included in .NET Core 2.0.<\/p>\n
\nturning it off by default in multiple project types but letting consumers opt-in
\nvia flags if still needed for backward compatibility:<\/p>\n
\n2023: .NET 8 Update<\/a>: Implementation throws by default
\n2024: .NET 9 Update<\/a>: Announced intention of removal early in the release cycle
\n2024: .NET 9 Update<\/a>: Removal completed
\n2024: .NET 9 Breaking Change<\/a>: In-box BinaryFormatter implementation removed and always throws<\/p>\n
\nreplaced the implementation with one that always throws.<\/p>\nOptions to move forward<\/h2>\n
\nyou should first investigate alternatives to BinaryFormatter. In case you
\ndon\u2019t control the serializer but only perform deserialization, you can consider
\nonly reading the BinaryFormatter payload, without performing any
\ndeserialization. And if none of this works for you can bring the implementation
\nback by depending on an (unsupported) compatibility package<\/a>.<\/p>\nMigrate-Away<\/h3>\n
\nanother serializer. We have four recommendations:<\/p>\n
\nconsider using JSON or XML serialization formats. These serializers are
\nincluded in .NET and are supported by us.<\/p>\n
\nXML using\u202fSystem.Runtime.Serialization.DataContractSerializer<\/a><\/p>\n
\nthe following serialization formats and open-source serializers are
\nrecommended:<\/p>\n
\nProtocol Buffers\u202fusing\u202fprotobuf-net<\/a><\/p>\n
\nBinaryFormatter (namely [Serializable] and ISerializable), it\u2019s probably
\nthe easiest one to migrate to. If your migration goals include adopting a
\nmodern and performant serializer or a format with better cross-platform
\ninteroperability, the other options should be considered.<\/p>\nRead BinaryFormatter Payloads<\/h3>\n
\nuse the new NrbfDecoder<\/a> to read BinaryFormatter
\npayloads<\/a>. This allows you to read the encoded data without any
\ndeserialization. It\u2019s the equivalent of using a JSON\/XML reader without the
\ndeserializer:<\/p>\n
\n{
\n SerializationRecord rootObject = NrbfDecoder.Decode(payload);<\/p>\n
\n {
\n Console.WriteLine($”It was a primitive value: ‘{primitiveRecord.Value}'”);
\n }
\n else if (rootObject is ClassRecord classRecord)
\n {
\n Console.WriteLine($”It was a class record of ‘{classRecord.TypeName.AssemblyQualifiedName}’ type name.”);
\n }
\n else if (rootObject is SZArrayRecord<byte> arrayOfBytes)
\n {
\n Console.WriteLine($”It was an array of `{arrayOfBytes.Length}`-many bytes.”);
\n }
\n}<\/p>\nBinaryFormatter compatibility package<\/h3>\n
\nBinaryFormatter, you can also install the unsupported
\nSystem.Runtime.Serialization.Formatters<\/a> NuGet package and set the
\ncompatibility switch to true:<\/p>\n
\n <TargetFramework>net9.0<\/TargetFramework>
\n <EnableUnsafeBinaryFormatterSerialization>true<\/EnableUnsafeBinaryFormatterSerialization>
\n<\/PropertyGroup><\/p>\n
\n <PackageReference Include=”System.Runtime.Serialization.Formatters” Version=”9.0.0″ \/>
\n<\/ItemGroup><\/p>\n
\nfunctioning one, including its vulnerabilities and risks. It\u2019s meant as a
\nstopgap if you can\u2019t wait with migrating to .NET 9 while not having replaced the
\nusages of BinaryFormatter yet.<\/p>\n
\nin-box implementation you only need to reference it from application projects.
\nExisting code that is compiled against BinaryFormatter will continue to work.\n<\/p>\n
\nagainst taking a dependency on this package and to instead migrate away from
\nBinaryFormatter.<\/p><\/div>\nSummary<\/h2>\n
\nBinaryFormatter, due to its security risks<\/a>.<\/p>\n
\nrecommend that you migrate away from BinaryFormatter<\/a>. If that
\ndoesn\u2019t work for you can either start reading the binary payloads without
\ndeserializing<\/a> or you can take a dependency on the unsupported
\ncompatibility package<\/a>.<\/p>\n