My immediate reaction is why websocket based design and TCP (?) over gRPC with http/3 and UDP and multiplexing and such?
replies(6):
I’m a recent CS graduate. During the past few months I wrote BinaryRPC, an open-source RPC framework in modern C++20 focused on low-latency, binary WebSocket messaging.
Why I built it * Wanted first-class session support, pluggable QoS levels and a simple middleware chain (global, specific, multi handler) without extra JSON/XML parsing. * Easy developer experience
A quick feature list * Binary WebSocket frames – minimal overhead * Built-in session layer (login / reconnect / heartbeat) * QoS1 / QoS2 with automatic ACK & retry * Plugin system – rooms, msgpack, etc. can be added in one line * Thread-safe core: RAII + folly
Still early (solo project), so any feedback on design, concurrency model or missing must-have features would help a lot.
Thanks for reading!
also see "Chat Server in 5 Minutes with BinaryRPC": https://medium.com/@efecanerdem0907/building-a-chat-server-i...
* Works everywhere today (browsers, LB, PaaS) with zero extra setup. * One upgrade -> binary frames; no gRPC/proto toolchain or HTTP/3 infra needed. * Simple reliability: TCP handles ordering; I add optional QoS2 on top. * Lets me focus on session/room/middleware features first; transport is swappable later.
QUIC / gRPC-HTTP/3 is on the roadmap once the higher-level API stabilises.
- gRPC is not a library I would trust with safety or privacy. It's used a lot but isn't a great product. I have personally found several fuckups in gRPC and protobuf code resulting in application crashes or risks of remote code execution. Their release tagging is dogshit, their implementation makes you think the standard library and boost libraries are easy to read and understand, and neither takes SDLC lifecycles seriously since there aren't sanitizer builds nor fuzzing regime nor static analysis running against new commits last time I checked.
- http/3 using UDP sends performance into the crater, generally requiring _every_ packet to reach the CPU in userspace instead of being handled in the kernel or even directly by the network interface hardware
- multiplexing isn't needed by most websocket applications
I am a recent CS graduate and I work on this project alone. I chose WebSocket over TCP because it is small, easy to read, and works everywhere without extra tools. gRPC + HTTP/3 is powerful but adds many libraries and more code to learn.
When real users need QUIC or multiplexing, I can change the transport later. Your feedback helps me a lot.
I totally understand your reasoning behind leaning on websockets. You can test with a data channel in a browser app. But if we are talking low-latency, Superman fast, modern C++, RPC and forgeddaboutit. Look into handling an initial payload with credential negotiation outside of HTTP 1.1.
My current roadmap is:
1. Keep WebSocket as the “zero-config / browser-friendly” default. 2. Add a raw-TCP transport with a single-frame handshake: [auth-token | caps] → ACK → binary stream starts. 3. Later, test a QUIC version for mobile / lossy networks.
So users can choose: * plug-and-play (WebSocket) * ultra-low-latency (raw TCP)
Thanks for the nudge this will go on the transport roadmap.
Would be great if you report such remote code executions to the authors/Google. I am sure they handle CVEs etc. There has been a security audit like https://github.com/grpc/grpc/tree/master/doc/grpc_security_a...
> there aren't sanitizer builds nor fuzzing regime nor static analysis running against new commits last time I checked.
Are you making shit up as you go? I randomly picked a recently merged commit and this is the list of test suites ran on the pull request. As far as I recall, this has been the practice for at least 8 years+ (note the MSAN, ASAN, TSAN etc.)
I can see various fuzzers in the code base so that claim is also unsubstantiated https://github.com/grpc/grpc/tree/f5c26aec2904fddffb70471cbc...
Android (Internal CI) Kokoro build finished
Basic Tests C Windows Kokoro build finished
Basic Tests C# Linux Kokoro build finished
Basic Tests C# MacOS Kokoro build finished
Basic Tests C# Windows Kokoro build finished
Basic Tests C++ iOS Kokoro build finished
Basic Tests C/C++ Linux [Build Only] Kokoro build finished
Basic Tests ObjC Examples Kokoro build finished
Basic Tests ObjC iOS Kokoro build finished
Basic Tests PHP Linux Kokoro build finished
Basic Tests PHP MacOS Kokoro build finished
Basic Tests Python Linux Kokoro build finished
Basic Tests Python MacOS Kokoro build finished
Bazel Basic Tests for Python (Local) Kokoro build finished
Bazel Basic build for C/C++ Kokoro build finished
Bazel C/C++ Opt MacOS Kokoro build finished
Bazel RBE ASAN C/C++ Kokoro build finished
Bazel RBE Build Tests Kokoro build finished
Bazel RBE Debug C/C++ Kokoro build finished
Bazel RBE MSAN C/C++ Kokoro build finished
Bazel RBE Opt C/C++ Kokoro build finished
Bazel RBE TSAN C/C++ Kokoro build finished
Bazel RBE Thready-TSAN C/C++ Kokoro build finished
Bazel RBE UBSAN C/C++ Kokoro build finished
Bazel RBE Windows Opt C/C++ Kokoro build finished
Bloat Diff Kokoro build finished
Bloat Difference Bloat Difference
Clang Tidy (internal CI) Kokoro build finished
Distribution Tests C# Linux Kokoro build finished
Distribution Tests C# MacOS Kokoro build finished
Distribution Tests C# Windows Kokoro build finished
Distribution Tests Linux (standalone subset) Kokoro build finished
Distribution Tests PHP Linux Kokoro build finished
Distribution Tests PHP MacOS Kokoro build finished
Distribution Tests Python Linux Arm64 Kokoro build finished
Distribution Tests Ruby MacOS Kokoro build finished
Distribution Tests Windows (standalone subset) Kokoro build finished
EasyCLA EasyCLA check passed. You are authorized to contribute.
Grpc Examples Tests CPP Kokoro build finished
Memory Difference Memory Difference
Memory Usage Diff Kokoro build finished
Mergeable Mergeable Run has been Completed!
Migration Test MacOS Sonoma Kokoro build finished
ObjC Bazel Test Kokoro build finished
Portability Tests Linux [Build Only] (internal CI) Kokoro build finished
Portability Tests Windows [Build Only] (internal CI) Kokoro build finished
Sanity Checks (internal CI) Kokoro build finished
Tooling Tests Python Linux Kokoro build finished
Windows clang-cl with strict warnings [Build Only] Kokoro build finishedI wouldn't expect latency to be an issue for long lived connections, compared to TCP.
Compression helps but I think if you want to win over the embedded crowd, having a pure TCP alternative is going to be a huge win. That said, do NOT abandon the HTTP support, WebSockets are still extremely useful. WebRTC is too. ;)
gRPC uses HTTP/2, which has a Client/Server Stream API, to forgo the preamble. In the end though, ANY HTTP based protocol could be throttled by infrastructure in-between. TCP on the other hand, can be encrypted and sent without any preamble - just a protocol, and only L2/L3 can throttle.
I wasn't getting paid to fix their code, I have no interest in helping Google for free, and don't want to help Google.
> There has been a security audit like
A checkbox report from six years ago. That's ancient times at the pace that things are added to gRPC.
> Are you making shit up as you go?
No. This [0] repo I used to reproduce a stack smash issue before `main()`. I reported the issue here [1]. I don't get paid to fix Google's things and found a workaround for the purposes I needed.
[0]: https://github.com/keith-bennett-airmap/grpc-stacksmash
[1]: https://github.com/protocolbuffers/protobuf/issues/12732
> I can see various fuzzers in the code base so that claim is also unsubstantiated
Fuzzers are cool, but they don't cover the whole codebase.
It's generally unwise to use compression for encrypted transport such as TLS or HTTP/S.
Extraordinary claims need extraordinary evidence. Software can be buggy, for sure, but as you yourself acknowledge, gRPC is widely deployed at many companies that do offer bug bounties. I won't be surprised if folks can occasionally find exploits in it, but if as you suggest it is so easily exploitable to get remote code execution, you in fact should be able to collect many $$$ from not just Google, but Apple, Microsoft, and many more companies who deploy gRPC services at scale. Hard to find a nicer attack target than a network facing library that you have a zero-day RCE for. (Protobuf is an even more popular target and used by virtually all Google services.)
> No. This [0] repo I used to reproduce a stack smash issue before `main()`. I reported the issue here [1]. I don't get paid to fix Google's things and found a workaround for the purposes I needed.
As you have figured out yourself in the repo referred, the bug (not sure if exploitable or not) is from protobuf, a distinct library from gRPC, and appeared under certain compiler configurations. gRPC library does not even have a dependency on `libprotobuf`. It just happens to be the most popular format used jointly with gRPC. (It could be argued to be a bug in compiler conditions where abseil substitution of absl::string_view to std::string_view happens and is not fully compatible.)
Google also specifically pays for some open source project vulnerability reports (specifically covering Protobuf as an important target), so repeated claims of I am not getting paid otherwise I had dozens of exploits should be taken with a grain of salt and considered FUD: https://bughunters.google.com/about/rules/open-source/652133...
> Fuzzers are cool, but they don't cover the whole codebase.
You just went from the claim "they have no fuzzers or static analysis" to "fuzzers don't cover X". Of course, you cannot prove correctness by testing and fuzzing. Testing is not verification. Tests can only prove the existence of bugs, not their non-existence.
In any case, I would be really interested to see a comparable RPC stack that is close or more well-tested than gRPC...
Ahh yeah, bug bounties. The things that are notoriously underpaid if paid at all. The things that require many hours/days/weeks of work for a "maybe" payoff.
I'm sorry but I don't like the risk of spending so much time for free or significantly discounted. My time is worth more than that.
If these companies really want to lean on shit software, then that's their business. But I neither support nor condone it.
> gRPC library does not even have a dependency on `libprotobuf`
I see this espoused a lot. Have you tried building gRPC? It requires protobuf to build...
> You just went from the claim "they have no fuzzers or static analysis" to "fuzzers don't cover X"
And it's amazing that both claims are true. You linked some page where some fuzzers were run. Nice! Those fuzzers aren't enabled in default tests. So `make test` doesn't run them. Moreover `make test` didn't find any issues and would take a while so I commented it out.
> I would be really interested to see a comparable RPC stack
This has been a call since forever. But "RPC" is very loosely defined.
Realistically, almost anything that can serialize to/from a file without relying on knowing the file size can be adapted to socket-based RPC. There's thousands of libraries which can do that.
> that is close or more well-tested than gRPC
I'd rather have an "RPC" whose design is both well-documented and clearly readable. That's definitely not gRPC. HTTP is fairly well-documented and many implementations are clearly readable. Message queues are too. Even databases are generally better documented and usable for RPC. Did you know that POSIX has a specification for RPC?
Good documentation and clearly readable means "well tested" comes with much lower costs.