lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]



Even then, most of my networked processes don't keep user-supplied
arbitrary strings long enough to let them accumulate.  Almost the only
exception to this is HTTP processing, and then i always put nginx in
front of it.  This hypothetical attack is just another reason to do
that.

Calling hash collision attacks "hypothetical" is not doing anyone any favours at this point. As Xavier has shown it's very easy to generate colliding strings. It's also quite clear from running his code [and our own tests] that results can be pretty disastrous.

Keep in mind that now the cat's out of the proverbial bag, any amateur coder can write the tiny script necessary to try and wreck havoc on servers where Lua software does the processing. No botnet required anymore, period.

Anyone for whom attacks on their systems are "hypothetical" should go thank their lucky stars. Unfortunately, our servers are under attack at pretty much *all* times. These attacks are automated and come in *many* guises.

Perhaps scanning for hash collision weaknesses is not yet part of the better-known hack tools. But I'm afraid that it's merely a matter of time before this will be remedied.

Also, some people seem to feel that the issue only [...] comes up with user-facing systems and that simply screening HTTP headers or POSTed form values will divert disaster. Unfortunately, that's definitely not the case either...

As an example, consider a collection of back-end machines that use web services to orchestrate operations. These machines typically operate by exchanging copious amounts of data in XML format.

Now, what do you think will happen if a web service naively uses a Lua-driven parser to read and process this XML? How do you think putting anything in front of said web service will mitigate the issue?

but simply devolving to the far slower and memory hungry hashtables of
other languages is not a good strategy.

I suggested no such thing.

I mentioned examples of scripting languages that are trying to deal with the issue. I'm certain none of the teams behind these languages are jumping for joy that they've been forced to do so. But they do so nonetheless.

Alas, unlike these languages hash tables are very integral to Lua...[!]

Ashwin.