 |
lua-l archive |
|
|
||
|
Even then, most of my networked processes don't keep user-supplied arbitrary strings long enough to let them accumulate. Almost the only exception to this is HTTP processing, and then i always put nginx in front of it. This hypothetical attack is just another reason to do that.
Calling hash collision attacks "hypothetical" is not doing anyone any favours at this point. As Xavier has shown it's very easy to generate colliding strings. It's also quite clear from running his code [and our own tests] that results can be pretty disastrous.
Keep in mind that now the cat's out of the proverbial bag, any amateur coder can write the tiny script necessary to try and wreck havoc on servers where Lua software does the processing. No botnet required anymore, period.
Anyone for whom attacks on their systems are "hypothetical" should go thank their lucky stars. Unfortunately, our servers are under attack at pretty much *all* times. These attacks are automated and come in *many* guises.
Perhaps scanning for hash collision weaknesses is not yet part of the better-known hack tools. But I'm afraid that it's merely a matter of time before this will be remedied.
Also, some people seem to feel that the issue only [...] comes up with user-facing systems and that simply screening HTTP headers or POSTed form values will divert disaster. Unfortunately, that's definitely not the case either...
As an example, consider a collection of back-end machines that use web services to orchestrate operations. These machines typically operate by exchanging copious amounts of data in XML format.
Now, what do you think will happen if a web service naively uses a Lua-driven parser to read and process this XML? How do you think putting anything in front of said web service will mitigate the issue?
but simply devolving to the far slower and memory hungry hashtables of other languages is not a good strategy.
I suggested no such thing.I mentioned examples of scripting languages that are trying to deal with the issue. I'm certain none of the teams behind these languages are jumping for joy that they've been forced to do so. But they do so nonetheless.
Alas, unlike these languages hash tables are very integral to Lua...[!] Ashwin.