[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Real-World Impact of Hash DoS in Lua
- From: Rob Kendrick <rjek@...>
- Date: Fri, 27 Jan 2012 01:02:29 +0000
On Thu, Jan 26, 2012 at 11:58:51AM -0500, Sean Conner wrote:
> It was thus said that the Great Paul Hudson once stated:
> > On 26 January 2012 16:10, Sean Conner <sean@conman.org> wrote:
> >
> > > -spc (So it's not exactly *Linux only*)
> >
> > But it is a small subset of the things Lua does or could run on. And since
> > we're talking about a core feature of Lua, platform/OS dependencies are to
> > be avoided (IMO) if a portable solution can be found.
>
> And I was replying to Roberto, who asked:
>
> > We can have better implementations for particular system. For instance, we
> > can use arc4random if present, but how to detect it? Are there any other
> > suggestions?
>
> C89 is pretty restrictive in this (seeding a random number generator)
> regard. You really can't even rely upon time() since a C89 implementation
> has to only give "its best approximation of the time" which could be 0 (I
> don't my references handy at the moment, but once I get home I can cite the
> appropriate documenation).
Is anybody actually concerned about a system lacking a decent
implementation of time() being DoSed? In any case, combining it with
pointers of symbols, stacks, the state pointer, etc, should get you a
long way towards something that changes enough to make it more of a
challenge to exploit, as well as being portable.
Unless you're running on a microcontroller or some similar constrained
system, where there are much much easier ways of DoSing them due to low
performance and RAM.
B.
