From: Gerd Stolpmann <info@gerd-stolpmann.de>
To: Xavier Leroy <Xavier.Leroy@inria.fr>
Cc: caml-list@inria.fr
Subject: Re: [Caml-list] Hashtbl and security
Date: Sun, 01 Jan 2012 22:04:03 +0100 [thread overview]
Message-ID: <1325451843.5036.165.camel@samsung> (raw)
In-Reply-To: <4F0097E6.2090701@inria.fr>
Am Sonntag, den 01.01.2012, 18:29 +0100 schrieb Xavier Leroy:
> On 01/01/2012 01:52 PM, Richard W.M. Jones wrote:
> > On Fri, Dec 30, 2011 at 06:06:26PM +0100, Xavier Leroy wrote:
> >> Indeed. The optional "seed" parameter to Hashtbl.create does exactly
> >> this in the new implementation of Hashtbl (the one based on Murmur3).
> >
> > It may be worth noting that Perl solved this problem (back in 2003) by
> > unconditionally using a seed which is a global set to a random number
> > during interpreter initialization.
>
> That's how my initial reimplementation of Hashtbl worked, using the
> Random module to produce seeds, but I was told (correctly) that in
> security-sensitive applications it's better to leave the generation of
> random numbers under control of the programmer. For some applications
> Random.self_init might be good enough and for others stronger
> randomness is needed.
>
> Of course, you can trivially emulate Perl's behavior using the new
> Hashtbl implementation + the Random module.
I understand it very well that adding support for cryptographically
secure random numbers to core Ocaml is a challenge. There is no POSIX
API, and /dev/random is, although widely available, still non-standard.
And it is certainly true that there are various levels of security, and
for some purposes the programmer should be free to install even better
generators. Nevertheless, Ocaml is now widely used in environments where
a certain minimum of security is demanded, and I think Ocaml should
provide this minimum at least, and use it for things like an
automatically chosen seed for hash tables.
My argument is: Even providing a half solution is in this area better
than leaving the unwary programmer completely alone. Because in the
latter case, nothing will be done to address the problems, and apps
would be easier to attack.
What I could imagine is a module Sys.Security where all security
features are accessible and configurable, e.g.
val set_default_seed : int -> unit
val fill_randomly : [`Fast|`Safe] -> string -> unit
val set_fill_randomly : ([`Fast|`Safe] -> string -> unit) -> unit
The configure script could check what is available on the system. The
`Fast mode is guaranteed to always exist, and would essentially
be /dev/urandom if available and otherwise Random-based. The `Safe mode
would require /dev/random (or comparable), and fail otherwise. (See
Wikipedia http://en.wikipedia.org/wiki/dev/random for a list of OS, and
for weaknesses.)
The user can override the RNG if the defaults are not ok, or if exact
control is required.
Of course, one could criticize such an interface in various ways. For
example, it only allows a global security profile, and not different
profiles for different parts of the program. Also, the distinction
between a fast and a safe generator sounds a bit arbitrary. My response
is simply: this is the price for the broad effect, and IMHO this counts
more than having a more elaborated but also more difficult solution, or
lots of user-specific solutions (as we would have to find today).
Gerd
--
------------------------------------------------------------
Gerd Stolpmann, Darmstadt, Germany gerd@gerd-stolpmann.de
Creator of GODI and camlcity.org.
Contact details: http://www.camlcity.org/contact.html
Company homepage: http://www.gerd-stolpmann.de
------------------------------------------------------------
next prev parent reply other threads:[~2012-01-01 21:04 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-30 16:44 Gerd Stolpmann
2011-12-30 16:48 ` Yaron Minsky
2011-12-30 19:01 ` David Allsopp
2011-12-30 20:52 ` Yaron Minsky
2011-12-30 21:54 ` Gerd Stolpmann
2011-12-30 17:06 ` Xavier Leroy
2011-12-30 21:16 ` Gerd Stolpmann
2011-12-31 0:57 ` oliver
2011-12-31 0:59 ` oliver
2012-01-01 12:52 ` Richard W.M. Jones
2012-01-01 17:29 ` Xavier Leroy
2012-01-01 21:04 ` Gerd Stolpmann [this message]
2012-01-01 23:24 ` oliver
2012-01-01 23:58 ` Gerd Stolpmann
2012-01-02 1:43 ` oliver
2012-01-04 17:56 ` Damien Doligez
2012-01-04 21:52 ` oliver
2012-01-02 9:34 ` David MENTRE
2012-01-30 10:54 ` Goswin von Brederlow
2011-12-30 17:40 ` rixed
2011-12-30 17:52 ` Edgar Friendly
2011-12-31 1:02 ` oliver
2011-12-31 0:33 ` oliver
2012-01-02 0:21 ` Shawn Wagner
2012-01-02 14:52 ` Gerd Stolpmann
2012-01-30 10:51 ` Goswin von Brederlow
2012-01-31 14:16 ` Gerd Stolpmann
2012-02-08 9:41 ` Goswin von Brederlow
2012-02-08 10:43 ` Philippe Wang
2012-02-08 10:46 ` AUGER Cédric
2012-02-09 13:22 ` Goswin von Brederlow
2012-02-09 14:48 ` Gerd Stolpmann
2012-02-08 11:12 ` Gerd Stolpmann
2012-02-09 13:11 ` Goswin von Brederlow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1325451843.5036.165.camel@samsung \
--to=info@gerd-stolpmann.de \
--cc=Xavier.Leroy@inria.fr \
--cc=caml-list@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).