Re: Real-World Impact of Hash DoS in Lua

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Real-World Impact of Hash DoS in Lua
From: Rob Kendrick <rjek@...>
Date: Thu, 26 Jan 2012 20:33:32 +0900

On Thu, Jan 26, 2012 at 11:29:18AM +0100, Florian Weimer wrote:
> * Roberto Ierusalimschy:
> 
> >> OK.  Cool.  This is a showstopper for the company I am working with for
> >> rolling out embedded Lua with nginx.  Is there anything I can do to help?
> >
> > what it is still missing now is how to create the initial per-state
> > random seed. Suggestions included some address and arc4random. I am
> > afraid that, for the backup ANSI implementation, we cannot do much
> > better than something like this:
> >
> >   seed = (unsigned int)time() + (unsigned int)L;
> 
> Addresses of a stack variable and a public Lua function should provide
> a few bits of randomness, too.

And perhaps one or two functions from the C library and maths library:
ASLR will mean these will be pleasingly distributed for another few
bits: even more so on 64 bit systems.

> Reading from /dev/urandom might be problematic because drains entropy
> from the whole system.

Not to mention making non-Linux users sad.

B.

Follow-Ups:
- Re: Real-World Impact of Hash DoS in Lua, Tony Finch
- Re: Real-World Impact of Hash DoS in Lua, Sean Conner

References:
- Re: Real-World Impact of Hash DoS in Lua, John Graham-Cumming
- Re: Real-World Impact of Hash DoS in Lua, Roberto Ierusalimschy
- Re: Real-World Impact of Hash DoS in Lua, John Graham-Cumming
- Re: Real-World Impact of Hash DoS in Lua, Roberto Ierusalimschy
- Re: Real-World Impact of Hash DoS in Lua, Florian Weimer

Prev by Date: Re: Real-World Impact of Hash DoS in Lua
Next by Date: Re: Real-World Impact of Hash DoS in Lua
Previous by thread: Re: Real-World Impact of Hash DoS in Lua
Next by thread: Re: Real-World Impact of Hash DoS in Lua
Index(es):
- Date
- Thread