lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

 > The randomized seed is sufficient to protect against attacking a Lua-based
 > program by providing a fixed malicious input that reliably works across
 > runs. 

Shouldn't it be possible to provide a malicious input that consists of
strings of length 32 to 40 that differ only in characters that don't
contribute to the hash?  That would work reliably across runs?

I'm trying to understand what sort of attack is being defended
against.  So far the only attack I understand is an attack against the
performance of strings that are used by the implementation, like "__index".
The seed renders such an attack impossible.

Is there any other attack that's defended against here?