Defensive programming
John Roth
johnroth at ameritech.net
Sun Jun 1 12:12:26 EDT 2003
"Paul Rubin" <http://phr.cx@NOSPAM.invalid> wrote in message
news:7xptlxq2yz.fsf at ruckus.brouhaha.com...
> Jack Diederich <jack at performancedrivers.com> writes:
> > The author brought this up on python-dev and the 'bots did indeed
> > disect the arguments. The verdict was that it is interesting but
not a
> > problem (or at least a solvable problem) in practice. Specific
problems are
> > best solved at specific layers, and DoS attacks that eat CPU are
best solved
> > at the operating system level.
>
> I think there's something to be said for using collision resistant
> hashes whenever any kind of hash is needed. Why fall back on the OS
> to get you out of trouble, when you can avoid getting in trouble in
> the first place? I haven't read the papers yet though.
It was pretty interesting, and not at all a hard read: they used Perl as
one
of the bad cases. Python is certainly subject to the same kind of
attack,
but it's pretty easy to encapsulate whatever you want to put into a
dict in an object and use your own hash function, with parameters
that are initialized periodically. See the paper for some of the
reasoning
for how to exploit this if you don't have access to the source.
John Roth
More information about the Python-list
mailing list