Front page | perl.perl5.porters |
Postings from October 2012
On Tue, Oct 30, 2012 at 2:35 PM, Ed Avis <eda@waniasset.com> wrote: > If the hash random seed isn't changed on forking, then conceivably a privileged > daemon could fork off child process which drop their privileges or run as a > different user account. A core dump file from one of those children could be > used to extract the random seed and attack the parent. But this probably isn't > worth worrying about, since if you have the core dump you probably have all sorts > of garbage data from the parent process, which is already an information leak at > the least. Regarding all these security considerations: Since the widely publicized attacks on pretty much every modern language that wasn't Perl a while back Ruby, Java etc. all changed their hash implementations to do some variant of randomized hashing. It's very likely that all the thing being brought up here have been discussed by those camps and have been security audited, so finding out how they dealt with it would be very informative. I haven't done so, but it would make for very useful input for this discussion.Thread Previous | Thread Next