[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Hash Table Collisions (n.runs-SA-2011.004)
- From: Eike Decker <zet23t@...>
- Date: Fri, 30 Dec 2011 01:01:11 +0100
2011/12/29 Gé Weijers <firstname.lastname@example.org>:
>> How about all those (online)games that somehow use Lua in their game?
> Unless you can feed a *lot* of strings into the Lua game engine there should
> not be any issue.
Never underestimate the power of n^2. Really.
However, online games are often more rigid in their protocols and you
might not be able to make request that autofill tables with large
amounts of keys.
Chat services could however be vulnerable: Strings are interned
automatically in Lua - means being stored in a hashtable if I am not
mistaken. Now if I send messages over a chat protocol, knowing that
messages are kept in memory for some time, I could "attack" the string
intern table by writing one message per time containing the
hashcolliding strings. That could be in deed troublesome.
Randomizing how the hashing works would be needed to prevent that from
happening. If the randomization isn't random enough however, an
attacker could test various strings and measuring load times, trying
to estimate if he has hit a "nerve".