[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: what is the role of the `seed` field in the Lua global state?
- From: Norman Ramsey <nr@...>
- Date: Wed, 11 Mar 2020 14:11:57 -0400
> The randomized seed is sufficient to protect against attacking a Lua-based
> program by providing a fixed malicious input that reliably works across
Shouldn't it be possible to provide a malicious input that consists of
strings of length 32 to 40 that differ only in characters that don't
contribute to the hash? That would work reliably across runs?
I'm trying to understand what sort of attack is being defended
against. So far the only attack I understand is an attack against the
performance of strings that are used by the implementation, like "__index".
The seed renders such an attack impossible.
Is there any other attack that's defended against here?