[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: what is the role of the `seed` field in the Lua global state?
- From: Roberto Ierusalimschy <roberto@...>
- Date: Thu, 12 Mar 2020 10:16:44 -0300
> > The randomized seed is sufficient to protect against attacking a Lua-based
> > program by providing a fixed malicious input that reliably works across
> > runs.
> Shouldn't it be possible to provide a malicious input that consists of
> strings of length 32 to 40 that differ only in characters that don't
> contribute to the hash? That would work reliably across runs?
> I'm trying to understand what sort of attack is being defended
> against. So far the only attack I understand is an attack against the
> performance of strings that are used by the implementation, like "__index".
> The seed renders such an attack impossible.
> Is there any other attack that's defended against here?
The problem you mentioned is not restricted to strings between 32 and
40 bytes, because often those strings go as keys to a table (e.g.,
collecting key-value pairs in a request) and can create collisions in
that table. That said, we thought about this issue at the time and
concluded it would not be a problem, but I cannot recall why :-)
(Maybe the program should prevent long keys in such a table?)
Anyway, you are right that it would be safer to avoid these collitions
in the internal table, at least. (That is, all short strings should use
all bytes for their hash.)