develooper Front page | perl.perl5.porters | Postings from December 2011

Re: perl's hash randomization in the news

Thread Previous | Thread Next
Reini Urban
December 30, 2011 10:55
Re: perl's hash randomization in the news
Message ID:
Am 29.12.2011 um 16:25 schrieb Greg Lindahl:

> The researchers concluded that the best way of avoiding the problem is
> to use randomised hash functions such as those used in Perl, which
> were included after a security conference paper on the technique was
> published in 2003PDF. CRuby 1.9 has used a similar randomisation
> technique since 2008.

The nodejs folks are trying to force V8 to use randomized hashes right now, 
because it can be easily exploited. So far Google declined to change that.
perl was also an argument there. Should the fix be in the language or in the framework 
is the question.!topic/nodejs/007S7DUm21o
Technical explaination 0m-19m or so, part about nodejs at 40m or so.

Basically, because v8 uses weak hashes for objects, you can fill up
one slot of the hashtable with many entries, e.g. using a POST
containing a querystring with many keys with the same hash. Operating
on those keys (inserting and reading) then becomes slow as hell which
allows you to bring a nodejs server to 100% CPU usage for a long time
(blocking the event loop completely) with one moderately large POST
request. This is bad.

Those guys say they told Google October 18th, they got through to the
v8 guys in November, and they said they don't care sooo much about DoS
attacks on v8 because they're mainly interested in browserside stuff.

This is bad for us.
Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About