lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Tue, Jan 03, 2012 at 07:26:03AM -0800, Mark Hamburg wrote:
> On Jan 3, 2012, at 6:21 AM, Javier Guerra Giraldez wrote:
> > On Mon, Jan 2, 2012 at 10:49 PM, Mark Hamburg <> wrote:
> >> Presumably the malicious data isn't going to survive a GC.
> > 
> > in the original paper, the danger is in hashtables with keys from the
> > network.  they would totally survive a GC.
> How? I'm assuming they are delivered as part of the HTTP header. Presumably most web servers wouldn't need to keep around the results of parsing headers from previous requests.

The paper describes but one simple attack in a whole class of attacks called
Computational Complexity Attacks. Devising a solution to address one single
instance doesn't make any sense.

Tables are *the* data structure in Lua, and these sorts of attacks apply to
_any_ network generated data stored in shared tables.

Persistance is a red herring because it relative to context. Persistance
means one thing with HTTP headers, another with HTTP session cookies, and
yet another with XYZ protocol.