Re: Plan B for fixing 5.8.2 binary API

To: Jan Dubois <jand@ActiveState.com>
Cc: Perl 5 Porters <perl5-porters@perl.org>, debian-perl@lists.debian.org
Subject: Re: Plan B for fixing 5.8.2 binary API
From: Chip Salzenberg <chip@debian.org>
Date: Mon, 13 Oct 2003 16:01:49 -0400
Message-id: <[🔎] 20031013200149.GN22897@perlsupport.com>
In-reply-to: <[🔎] 6eulovcno0mhvbpmvucqjbmu5rejugdg6p@4ax.com>
References: <[🔎] 20031010024134.GE2004@perlsupport.com> <[🔎] 20031011092906.GV14030@plum.flirble.org> <[🔎] 20031013161232.GG22897@perlsupport.com> <[🔎] 20031013164524.GG89417@plum.flirble.org> <[🔎] 20031013185759.GM22897@perlsupport.com> <[🔎] 6eulovcno0mhvbpmvucqjbmu5rejugdg6p@4ax.com>

According to Jan Dubois:
> I think the security implications of hash seeding are totally blown
> out of proportion.

Possible.  But your comments don't persuade me.

> It only helps against one specific DoS attack.

One is enough.

> If security trumps everything else, then I wonder why we[*] don't bother
> to fix the known buffer overrun problems in Perl that result from ignoring
> integer overflow in New(), SvGROW() etc.  Examples for 32 bit machines:
> 
>     perl -e "q(xxxx) x 0x40000000"
>     perl -e "$a[0x40000000] = 1"

I'd never heard of this bug before.  IMO, that's something *else* that
has to get into 5.8.2.

Nevertheless, hash seeding is of high (if not higher) priority because
of the behavior we can reasonably expect from Perl programmers and the
expectations they can reasonably place on Perl.  Using an unchecked
input string as a hash key has *always* been safe in ways that using
an unchecked number as an array index clearly is not.  After all, no
matter what string you get, it's only *one* hash key; nothing will
blow up if you use it.  If you use a big number as an array index,
*kaboom*.  (Even if the overflow bug is fixed, you'll still get an
out-of-memory exception.)

In short, what makes the hash seeding so important is not the nature
of the hashing DOS, but the prevailing and justifiable expectation of
hash key safety.
-- 
Chip Salzenberg               - a.k.a. -               <chip@pobox.com>
"I wanted to play hopscotch with the impenetrable mystery of existence,
    but he stepped in a wormhole and had to go in early."  // MST3K

Reply to:

Follow-Ups:
- Re: Plan B for fixing 5.8.2 binary API
  - From: Jan Dubois <jand@ActiveState.com>

References:
- Hash seed breaks 5.8.1 binary API; fix suggested
  - From: Chip Salzenberg <chip@pobox.com>
- Re: Hash seed breaks 5.8.1 binary API; fix suggested
  - From: Nicholas Clark <nick@ccl4.org>
- Plan B for fixing 5.8.2 binary API
  - From: Chip Salzenberg <chip@debian.org>
- Re: Plan B for fixing 5.8.2 binary API
  - From: Nicholas Clark <nick@ccl4.org>
- Re: Plan B for fixing 5.8.2 binary API
  - From: Chip Salzenberg <chip@debian.org>
- Re: Plan B for fixing 5.8.2 binary API
  - From: Jan Dubois <jand@ActiveState.com>

Prev by Date: Re: Plan B for fixing 5.8.2 binary API
Next by Date: Re: Plan B for fixing 5.8.2 binary API
Previous by thread: Re: Plan B for fixing 5.8.2 binary API
Next by thread: Re: Plan B for fixing 5.8.2 binary API
Index(es):
- Date
- Thread