New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Algorimic Complexity Attack on Perl 5.6.1, 5.8.0 #6544
Comments
From scrosby@cs.rice.eduHello. We have analyzed this software to determine its vulnerability This paper discusses a new class of denial of service attacks that To be attackable, an application must have a deterministic or As part of this project, I have examined perl versions 5.6.1 and Depending on the application or script, this could be a critical DoS. The solution for these attacks on hash tables is to make the hash I highly advise using a universal hashing library, either our own or The abstract, paper, and a library implementing universal hashing is Scott |
From @jhiThanks for your extensive research on this. We have actually tinkered away I am by no means a cryptographer or a (discrete) mathematician, but before A quick googling (for "fast universal hashing") for example shows Krovetz' and As you point out, there are other ways to "DoS the language", either by constructing I am currently (fervently) hoping to get Perl 5.8.1 out soon(ish), and I don't know |
From scrosby@cs.rice.eduOn 17 Jun 2003 19:46:38 -0000, Jarkko Hietaniemi (via RT) <perlbug-followup@perl.org> writes:
No need at all. A full survey of universal hashing was beyond the
Actually, I did a quick retrofit of perl to use the UHASH library, and
Mergesort should be good.
I've yet to find/successfully design an exponential regular expression Would you happen to have any good references to perl's regexp engine
One thing to keep in mind is that someone else showed on perlmonks[1]
I do, but jenkin's with a random secret key is what is used by the If you think the above issue with CGI.pm is severe enough to warrant Scott [1] http://www.perlmonks.org/index.pl?node_id=262468 |
From @jhiAttached is a patch that will patch a current development version of Perl The neat effect is that now this: ./perl -le '@a="a".."z";@a{@a}=();print keys %a' gives a different result for each run. That _really_ should teach people If one needs to emulate the old behaviour, one can set the environment One can get a 5.8.1-to-be snapshot at least for a while as describd here: |
From @jhi |
From scrosby@cs.rice.eduOn 18 Jun 2003 21:11:49 -0000, Jarkko Hietaniemi (via RT) <perlbug-followup@perl.org> writes:
There's a typo at this line: +hash keys would cause Perl to consume large amounts of time because Other than that, the patch looks good. Scott |
From dwallach@cs.rice.eduAdding length restrictions to the CGI's input might cause problems for Validating that all the form elements are actually desired by the The correct answer, of course, is to fix the underlying hash function. Thanks, Dan |
From scrosby@cs.rice.eduOn Thu, 19 Jun 2003 17:05:19 +0200 (CEST), Tels <perl_dummy@bloodgate.com> writes:
The purpose of research is to generate and then disseminate
The catch is that a total input as low as 250kb is enough to DoS a
Perhaps. 10 KByte means at most a thousand or so attack inputs. Cost
This also works, but requires changing the API.
Probably yes, at least within the CGI script. However, if the Scott |
From @jhiSince the hash randomization is in for Perl 5.8.1, I'm marking the problem ticket as |
@jhi - Status changed from 'new' to 'resolved' |
Migrated from rt.perl.org#22371 (status was 'resolved')
Searchable as RT22371$
The text was updated successfully, but these errors were encountered: