Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:89478 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92307 invoked from network); 28 Nov 2015 10:34:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Nov 2015 10:34:35 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.193 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.160.193 mail-yk0-f193.google.com Received: from [209.85.160.193] ([209.85.160.193:35800] helo=mail-yk0-f193.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 55/0E-04444-A3389565 for ; Sat, 28 Nov 2015 05:34:35 -0500 Received: by ykba77 with SMTP id a77so12336637ykb.2 for ; Sat, 28 Nov 2015 02:34:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PXisSbg4yuV+4wr9u5f+Pw2QDNnJ1t9N86G9ZvfaFnc=; b=tZX0oBn+nR3RRy+OkQSh5RYEpB4+vfRsmWzJcJduCMoDdD9bGR4s6SjmS+NnVzw0X2 9KzgLizySmOZCHWBWbCn0OfG15DZ9rECx94n7QPWOByJ6cW/BZn7ApaTGFxucV/a2FRm a4e4Gp0J3M847U3VYHtn+utljGLLH13fkZ3DgbV0xGfSr3NMxtT7CLCM4ad6EEk4i0lZ t9twcJjR4r6HdnkvY+7QksQNjWDjJiaOGvdAKED+FPOTgCmxEgoFXm26yI9WB2Mv4mi6 O80uJfgZMWtnEfTuG2B2Iz9ysYZtgz7lYnwiSVRKMWd2Z23qXQPSYqOAqZPdJh2eP7oy iYTA== MIME-Version: 1.0 X-Received: by 10.13.242.133 with SMTP id b127mr42956525ywf.280.1448706872053; Sat, 28 Nov 2015 02:34:32 -0800 (PST) Received: by 10.13.248.130 with HTTP; Sat, 28 Nov 2015 02:34:31 -0800 (PST) In-Reply-To: <010e01d12978$231e7cf0$695b76d0$@lool.fr> References: <010e01d12978$231e7cf0$695b76d0$@lool.fr> Date: Sat, 28 Nov 2015 11:34:31 +0100 Message-ID: To: Pascal KISSIAN Cc: PHP internals Content-Type: multipart/alternative; boundary=94eb2c03623c7e193d0525975a88 Subject: Re: HashDos protection From: nikita.ppv@gmail.com (Nikita Popov) --94eb2c03623c7e193d0525975a88 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, Nov 28, 2015 at 2:00 AM, Pascal KISSIAN wrote: > -----Message d'origine----- > De : Nikita Popov [mailto:nikita.ppv@gmail.com] > Envoy=C3=A9 : jeudi 26 novembre 2015 18:25 > =C3=80 : PHP internals; Anatol Belski; Remi Collet > Objet : HashDos protection > > >Hi internals! > >his mail turned out to be rather long, so I'll start with a TL;DR: > > >To fix the HashDos vulnerability for *all* cases (rather than just > GET/POST parsing), I propose to introduce collision counting during > hashtable insertion operations. This will throw a fatal error if the numb= er > of collisions during an insertion operation exceed a certain threshold. > > >In PHP 5.3.9 a partial fix for the HashDos vulnerability was introduced > in the form of max_input_vars. > > Hi everybody... > I am very new to this mailing list, and I do not know If my thinking abou= t > this problem is good, but to my opinion, this kind of attack is based on > the fact that the hacker knows in advance how to compute the hash value i= n > order to generate collision. > > If a random salt was added in the _zend_array struct (at a cost of the > salt size 4 bytes? for each hash table), > Then if the hash computation takes that salt into account ( add ht > parameter to each function that calculates the hash) > It would be impossible to predict the hash of a value. > So impossible to perform such kind of attack... > > What do you think about that ? > > Perhaps if you do not want to increase the size of the the _zend_array > struct, perhaps a random salt initialized at the init of a php program (t= he > same for all hash tables, that changes at each run) could be enough! > This is what variant 2 (Switch hashtables to a keyed cryptographic hash like SipHash) describes, using a global per-pool key. Nikita --94eb2c03623c7e193d0525975a88--