Re: what is the role of the `seed` field in the Lua global state?

[Philippe Verdy <verdyp@...>]

If there's something to add to the Lua core, it's not a "set seed"
function but a "feed entropy" function, where the Lua core will
implement a large internal buffer, will use a strong enough hashing
function and a way to monitor the available bits of entropy; then some
extensions can use that function to refill regularly entropy data from
any source that they could track (instruction counters, temperature
gauges, hardware caches, hardware interface delays, user events...).

This requires just a buffer for the current state, a second buffer for
filling additional data as they are fed, and a HMAC-like function to
combine the current state with new entropic data; then the current
block can be used to extract some entropy data as a seed each time a
new PRNG is instantiated (the PRNG itself can be written as we want,
it may sometimes refeed itself its own seed from the global state, but
there should be a security in the Lua core to limit the frequency
where these collected seeds fro mthe global state will "eat" the
global entropy data; that frequency may be controled by the frequency
and volume at which the global state is fed; such control is required
to avoid a user-controled thread to eat all the entropy data in an
attempt to break other PRNG used for security purpose, such as the
generation of unique ids for session cookies).

As the generation of uniqe ids for session cookies is a very common
need, it should be implemented in the related network protocol
handlers, notably in standard libraries for HTTP(S) which are used to
process user logon form data or used for user privacy reasons.

Beware of using weak PRNG with weak seeds ! Otherwise you could be
exposed to severe legal problems in your Lua-written web applications
(for lack of sufficient protection of user's privacy and security).
This is not a minor problem you can ignore (even if your unit tests
for your application are passing OK), given the huge (and increasing)
rate of third party attacks against weak sites by tons of automated
bots distributed worldwide.

Le mer. 25 mars 2020 à 11:48, Philippe Verdy <verdyp@gmail.com> a écrit :
>
> That's not the best solution. Only a temporary palliative that
> probably does not even solve any practical problem.
>
> Really there should be a non-global seed that can be set on separate
> generators. This global seed can only be used to instantiate a new
> generator (and then in Lua you can provide a better generator scheme:
> the current implementation is fast, but very poor, with insufficient
> insufficient for security as its hashing function is very easily
> attackable, too much predictable, and does not use enough bits for its
> internal state).
>
> And from which data will you use the lua_changeseed() ? You need
> access to some other entropy source if you intend to use it for
> security purposes; all that can be used with it is to build
> reproductible test cases with common sequences of numbers from the
> PRNG, from a known constant seed used for testing purpose only (e.g.
> coverage test units).
>
>
> Le mer. 25 mars 2020 à 11:38, 云风 Cloud Wu <cloudwu@gmail.com> a écrit :
> >
> > Coda Highland <chighland@gmail.com> 于2020年3月12日周四 下午11:58写道：
> > >
> > > If you're already patching the VM, it shouldn't be hard to just patch the seed assignment yourself.
> > >
> >
> > I found that we don't even have to patch the VM  :)
> >
> > https://gist.github.com/cloudwu/a094583029f15bb74fa6df194159d008
> >
> > I wrote a small function `lua_changeseed(lua_State *L, unsigned int
> > seed);`  to change the seed.
> >
> > --
> > http://blog.codingnow.com
> >