develooper Front page | perl.perl5.porters | Postings from October 2003

Perl 5.8.1, plan C, and algorithmic complexity attacks.

Thread Next
From:
Scott A Crosby
Date:
October 21, 2003 14:27
Subject:
Perl 5.8.1, plan C, and algorithmic complexity attacks.
Message ID:
oyd65iie0zg.fsf@bert.cs.rice.edu
Hello. I've been trying to keep up with perl and its fix for this
problem. Not knowing perl internals, I don't fully understand the
descrption of plan-C in context and as implemented. I'd like to be
sure it hasn't reintroduced a problem.

AFAIK, you switch from the past predictable hash function to a new
randomized one only when you detect that you're under attack. I have a
couple of concerns:

  1. How do you dectect 'under attack', and is it possible to
  construct an attack while not triggering the rekey & rehash?

  2. When you rekey and rehash with a new random key, how do you avoid
  potentially rehashing endlessly. Is it possible to engage in a new
  attack by forcing endless rehashings instead of lots of collisions?

  3. Does this rehashing logic apply univerally to all hash tables in
  the system? For instance, can mod_perl or other internal hash tables
  or be built that accidently avoid the detect-attack-and-rehash
  logic?

  4. Are you still using keyed Jenkin's for the hash function?

Scott

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About