lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hi, folks. Some time ago Lua (5.2+) hash tables started using a
semi-random hash seed; this was a measure introduced to mitigate
DoS attacks based on hash collisions. Currently both Lua 5.3.2
and 5.2.4 compute this seed from a 'time(NULL)' call combined
with addresses of various functions and variables (in hope that
ASLR will randomize those).

The problem for me is that FreeBSD has no ASLR at the moment,
and the hash seed only changes as often as 'time(NULL)': once
per second. This makes it hard, for example, to run microbenchmarks:
performance of some code pieces jumps once per second, so to
average that out I'm forced to wait minutes.

Basically what I would like to see is a better randomness source
than 'time(NULL)'. Now, there where discussions [1] about using
'arc4random()' for this task (if the system supports that), and
it seems that source code is structured to allow for this, i.e.
see 'src/lstate.c':

    ** a macro to help the creation of a unique random seed when a state is
    ** created; the seed is used to randomize hashes.
    #if !defined(luai_makeseed)
    #include <time.h>
    #define luai_makeseed()         cast(unsigned int, time(NULL))

So, the first question I have is: do you folks plan to use a
kernel-provided randomness source like 'arc4random()' (under
*BSD) or 'getrandom()' (under Linux)?

The second question is: would you approve if FreeBSD package of
Lua was to patch 'luai_makeseed' into 'arc4random()'? I'm asking
this because I've been using such a patch locally for a while,
but FreeBSD Lua maintainers would like your approval before
adding it to the ports collection.