lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


It was thus said that the Great Martin once stated:
> On 02/18/2017 09:29 AM, Francisco Olarte wrote:
> > Maybe I could be convinced
> > by a better example.
> 
> Thank you for analysis and reply!
> 
> Let's try more "real" example.
> 
> Suppose we're implementing CRC calculation algorithm with predefined
> polynomial (0xEDB88320). By trading space for time calculation may be
> sped up by using precalculated values for any given byte of input
> (256 values), or two bytes of input (65536 values) and so forth.

  First off, I would measure the time difference between a 256 entry table
and a 65536 entry table.  At work, we use this CRC (I think that's the
polynomial used---the code was writeen some seven years ago and hasn't been
touched since) with 256 precalculated values and never had an issue with
respect to performance [1].

> Say I do not wish to store 65536 elements table in same source
> file with calculating function (which is near dozen lines). And
> also I do not wish to calculate this table at load time (as it
> is constant and may be precalculated and saved as separate file
> by stand-alone code). Moreover, it can be saved as lua code
> "return {<crc-values>}".
> 
> So in CRC calculation routine I just wish to say something like
> "local crc_table = require('CRC_2bytes_EDB88320')" and then start
> xor-ing input with it.
> 
> Yes, I may nullify "package.loaded" record for that module after
> work but it seems like struggling with consequences, not eliminating
> reason.

  So ... you do a one time calculation (or few) and that's it?  Once?  No
more during the lifetime of the program?  Seems like an odd case (or another
weak example).  Because if that's the case, then I would do something like:

	local get_crc = require "get_crc"

	local crc_table = get_crc("CRC_2bytes_CRC_2bytes_EDB88320")

  And get_crc() will load up the precalucated table (say, with loadfile())
and return it.  So you could, for example, later on do:

	local crc_table = get_crc("CRC_2bytes_CRC_2bytes_12345678")
	-- not sure if that's a good CRC or not, it's just an example

  Here, let me try for a better argument---I want to use a single function
out of some larger package (say, on the size of PenLight [2]).  I like the
idea of using a tested and maintained function, but *not* of having to load
a ton of unused functions.  This not only wastes memory needlessly, but also
leaves a larger attack surface for potential exploits [3].  Weakly loading
the larger module means that all the unused portions of the large package
will go away, saving memory and reducing the attack surface of the program.

  -spc

[1]	Our code is in the call path for one of the Monopolistic Phone
	Companies here in the US.  The protocols used for the backend use
	this CRC code.  

[2]	But PenLight allows you to load smaller subsets of itself.

[3]	How?  I don't know, but those crackers are nothing if persistent.
	Non-executable stacks?  Okay, we'll use ROP.  Oh, randomize all
	function addresses?  We can work around that too (in JavaScript no
	less [4]).

[4]	https://www.vusec.net/projects/anc/