[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Hash Table Collisions (n.runs-SA-2011.004)
- From: "Dimiter \"malkia\" Stanev" <malkia@...>
- Date: Fri, 30 Dec 2011 00:26:40 -0800
What would happen then, is that such behaviour is detected, and the user
is banned (sometimes for very long period)
On 12/29/11 4:01 PM, Eike Decker wrote:
2011/12/29 Gé Weijers<email@example.com>:
How about all those (online)games that somehow use Lua in their game?
Unless you can feed a *lot* of strings into the Lua game engine there should
not be any issue.
Never underestimate the power of n^2. Really.
However, online games are often more rigid in their protocols and you
might not be able to make request that autofill tables with large
amounts of keys.
Chat services could however be vulnerable: Strings are interned
automatically in Lua - means being stored in a hashtable if I am not
mistaken. Now if I send messages over a chat protocol, knowing that
messages are kept in memory for some time, I could "attack" the string
intern table by writing one message per time containing the
hashcolliding strings. That could be in deed troublesome.
Randomizing how the hashing works would be needed to prevent that from
happening. If the randomization isn't random enough however, an
attacker could test various strings and measuring load times, trying
to estimate if he has hit a "nerve".