lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Wed, Mar 11, 2020 at 10:16 AM Norman Ramsey <> wrote:
 > > > What does this seed accomplish?  What problem does it solve?
 > >
 > > attackers may use the properties of a hash function to construct a denial
 > > of service attack.. by providing strings to your hash
 > > function that all hash to the same value destroying the performance of
 > > your hash table.
 > Exactly.


One followup question: is the hash algorithm not vulnerable to exactly
such an attack via strings of lengths between 32 and 40?
It appears that every such string is "short", and therefore interned,
but that the `step` size is 2, so only every other byte contributes to
the hash.  So important strings like "__newindex" are protected
(because the seed makes it impossible to predict what they hash to),
but the hash table in general is not.  Correct?


The randomized seed is sufficient to protect against attacking a Lua-based program by providing a fixed malicious input that reliably works across runs. It's not exactly a "vulnerability" to be able to deny service by flooding it with more data than it can reasonably process -- the randomization prevents a more efficient, offline attack.

/s/ adam