[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Real-World Impact of Hash DoS in Lua
- From: Rob Kendrick <rjek@...>
- Date: Fri, 20 Jan 2012 19:46:39 +0900
On Thu, Jan 19, 2012 at 10:11:11AM -0800, William Ahern wrote:
> On Thu, Jan 19, 2012 at 01:47:16PM +0000, John Graham-Cumming wrote:
> <snip>
> > 1. Randomize the hash seed. In the patch I developed I generate a new
> > unsigned int using rand() and store it in the global state and then use it
> > to initialize the hash value instead of the string length (as is done
> > today).
>
> rand() is anything but random. Likewise for random(). They're extremely
> predictable. You're going to have to go platform specific. For OpenBSD or OS
> X, for example, use arc4random(). For Linux use sysctl() and mib[] = {
> CTL_KERN, KERN_RANDOM, RANDOM_UUID }.
How about use the pointer to one of Lua's symbols? If you care about
security, you'll have address space randomisation. If you don't have
address space randomisation, you clearly don't care about security :)
> Trying to use /dev random devices is broken for security conscious
> applications that have already called chroot().
Why? I suppose it means that anybody who broken into the chroot can
make /dev/random block, but is that much of an issue when you also have
/dev/urandom?
B.
